All Apps and Add-ons

Need to Time Shift one data point by X minutes for Machine Learning Application

gdziuba
Explorer

index="index" | table _time, ItemName, Measurement | rex mode=sed field=ItemName "s/[#-%&\$*+(). 0123456789]//g" | timechart span=10s last(Measurement) by ItemName limit=0 | outlier action=rm |

I have a column name called thickness and am trying to shift its data point by 1 min in this example. I don't want to shift all data points, just the one column.

Machine Learning Tool is Predict Categorical Fields.

Any help would be greatly appreciated.

0 Karma

gdziuba
Explorer

This is what I used to shift time. I used append and added the following code to shift time by x.

eval _time = relative_time(_time,"-50s")

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So in other words, you want to shift the thickness column down by six rows?

Do something like this after the timechart:

... | streamstats window=6 first(thickness) as shifted_thickness | ...

I didn't test if you need 6 or 7, and first() or last() - I always confuse the two. Just give it a shot and see how it behaves, adjust accordingly.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see. streamstats walks along the events in the order they are input into streamstats, which by Splunk default is reverse time order. It then looks back, so you get later in time easily.

One simple way would be to run reverse before and after the streamstats... would be slow though, depending on number of events. Another way would be to not copy the timestamp over by six events, but rather copy the value over by six events. Effectively that would shift the time in the other direction.

0 Karma

gdziuba
Explorer

This almost does what I need. It shifts in the wrong direction. If I do last(thickness) time isn't shifted at all, and if I do first(thickness) it goes later in time. I want it to be shifted up in time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...