autoregress
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
autoregress
Synopsis
Sets up data for calculating the moving average.
Syntax
autoregress field [as field:newfield] [p=int:p_start [- int:p_end]]
Arguments
- p
- Datatype: <int:p_start>
- Description: If 'p' option is unspecified, it is equivalent to p_start = p_end = 1 (i.e., copy only the previous one value of field into field_p1
- newfield
- Datatype: <field>
- Description: note that p cannot be a range if newfield is specified.
- p_start
- Datatype: <int>
- Description: If 'p' option is unspecified, it is equivalent to p_start = p_end = 1 (i.e., copy only the previous one value of field into field_p1
- p_end
- Datatype: <int>
- Description: If 'p' option is unspecified, it is equivalent to p_start = p_end = 1 (i.e., copy only the previous one value of field into field_p1
Description
Sets up data for auto-regression (e.g. moving average) by copying the p-th previous values for field into each event as newfield (or if unspecified, new fields field_pp-val for p-val = p_start-p_end). If 'p' option is unspecified, it is equivalent to p_start = p_end = 1 (i.e., copy only the previous one value of field into field_p1. note that p cannot be a range if newfield is specified.
Examples
Example 1: For each event, copy the 3rd previous value of the 'foo' field into the field 'oldfoo'.
... | autoregress foo AS oldfoo p=3
Example 2: For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the 'count' field into the respective fields 'count_p2', 'count_p3', 'count_p4', and 'count_p5'.
... | autoregress count p=2-5