- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is it possible to autoregress by unique site
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get a series of unique sites sending through the size of Database. I would like to show the growth of their DB to see if it is growing too quickly.
I am currently doing this using streamstats and it works fine but is a bit messy. I feel like I could use autoregress to tidy things up, but I cannot find a way to autoregress by site ID.
My current base search leaves a table that is sorted by time but with a mix of unique sites. I would like to compare the latest result from each site with the previous result of THAT site.
Would it be possible to do something like this:
basesearch|autoregress DBSizeCurrent as DBSizePrevious by siteID p=1
This does not work, but I feel like I must be doing something wrong. Or can you not use the 'by' argument in autoregress at all?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Amohlmann,
the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:
index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps
You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Amohlmann,
the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:
index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps
You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS, that is what I am already doing just thought there might have been a work around for autoregress.
Guess not.
Thanks for your help
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
