Introduction :

Auto regression is a time series model used to predict the current data based on previous data it is used for forecasting when there is some correlation between values in a time series.

Definition :

In Splunk “autoregress” command is used to calculate a moving average. (A moving average (MA) is a stock indicator commonly used in technical analysis, used to help smooth out price data by creating a constantly updated average price).

Example :  if we need to predict the product price for next day , then we must take the average of the last 30 days values of the closing price.

Syntax :

autoregress <field> [ p=<int> | p=<int>-<int> ]

field=<string> – The name of a field.

p=<int> – It  specifies previous events with single integer value <int> , from the given field. example p=2

P=<int>-<int> – It specifies range of integer value <int>-<int>  for previous event. example P=3-6

Example :

Query :

index=”main” sourcetype=geo| eval data =len(_raw)| autoregress data p=1-2| eval average=(data + data_p1 + data_p2) /3| table data, data_p1 data_p2, average| rename average as moving_average


Result :

Explanation :

In above search, we extract a data from main index (it’s a splunk default index where all the personal/processed data is stored) and soucetype “geo” (data related to geographical location ) given in the main search. In sub search  the search uses the eval data=len(_raw) (eval command used to calculate mathematical expressions) , here we are evaluating the data named len(_raw) which calculates the log size and displayed in ‘data’ field. autoregress  data p=1-2.

 autoregress command  to search the previous values of first and second prior event  from the field ‘data’. eval average=(data +data_p1 + data_p2 )/3search adds the initial event and two previous events (data+data_p1+data_p2) and divided it by 3 (Total number of events ) to calculate the moving average. That is (165+169+189/3 )and displayed the result (174.333…) in ‘average’ field (new field created using eval command). and search uses table command to display the resulted values of data ,data_p1, data_p2 and ‘average’ field in a tabular format. And finally search uses rename command to rename the field ‘average’ as ‘moving_average’.

It omits the moving_average for the initial events, where the field would be wrong, because summing null fields is considered null.

If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.

| Happy Splunking 😉