index="index" | table _time, ItemName, Measurement | rex mode=sed field=ItemName "s/[#-%&\$*+(). 0123456789]//g" | timechart span=10s last(Measurement) by ItemName limit=0 | outlier action=rm |
I have a column name called thickness and am trying to shift its data point by 1 min in this example. I don't want to shift all data points, just the one column.
Machine Learning Tool is Predict Categorical Fields.
Any help would be greatly appreciated.
This is what I used to shift time. I used append and added the following code to shift time by x.
eval _time = relative_time(_time,"-50s")
So in other words, you want to shift the thickness
column down by six rows?
Do something like this after the timechart
:
... | streamstats window=6 first(thickness) as shifted_thickness | ...
I didn't test if you need 6 or 7, and first()
or last()
- I always confuse the two. Just give it a shot and see how it behaves, adjust accordingly.
I see. streamstats
walks along the events in the order they are input into streamstats
, which by Splunk default is reverse time order. It then looks back, so you get later in time easily.
One simple way would be to run reverse
before and after the streamstats
... would be slow though, depending on number of events. Another way would be to not copy the timestamp over by six events, but rather copy the value over by six events. Effectively that would shift the time in the other direction.
This almost does what I need. It shifts in the wrong direction. If I do last(thickness) time isn't shifted at all, and if I do first(thickness) it goes later in time. I want it to be shifted up in time.