Hi, when I work with SQL I find the "Lead\ Lag" function very crutial. I'm using it mostly between dates. Does splunk supply an alternative? thanks!
You could use streamstats (http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Streamstats ). Say you want LAG(field):
streamstats
... | streamstats current=f last(field) as last_field
For LEAD, just get the results in reverse order (using reverse).
reverse
You might also want to have a look at delta which computes differences between values of a field for different events. http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Delta
delta
View solution in original post
What if I want to lag values 7 rows apart (not just the previous one)?
what do you want to achieve? any data sample to better understand? Have you check this link: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk
