Skip to content

trendline.md

Latest commit

 

History

History
88 lines (66 loc) · 3.41 KB

trendline.md

File metadata and controls

88 lines (66 loc) · 3.41 KB

trendline

The trendline command calculates moving averages of fields.

Syntax

The trendline command has the following syntax:

trendline [sort [+|-] <sort-field>] (sma | wma)(<number-of-datapoints>, <field>) [as <alias>] [(sma | wma)(<number-of-datapoints>, <field>) [as <alias>]]...

Parameters

The trendline command supports the following parameters.

Parameter Required/Optional Description
`[+ -]` Optional
<sort-field> Required The field used to sort the data.
`(sma wma)` Required
number-of-datapoints Required The number of data points used to calculate the moving average. Must be greater than zero.
<field> Required The field for which the moving average is calculated.
<alias> Optional The name of the resulting column containing the moving average. Default is the <field> name with _trendline appended.

Example 1: Tracking whether severity is escalating over time

The following query calculates a 3-point simple moving average of severityNumber:

source=otellogs
| sort `@timestamp`
| trendline sma(3, severityNumber) as sev_trend
| fields severityText, severityNumber, sev_trend
| head 6

The query returns the following results:

fetched rows / total rows = 6/6
+--------------+----------------+--------------------+
| severityText | severityNumber | sev_trend          |
|--------------+----------------+--------------------|
| INFO         | 9              | null               |
| INFO         | 9              | null               |
| WARN         | 13             | 10.333333333333334 |
| ERROR        | 17             | 13.0               |
| DEBUG        | 5              | 11.666666666666666 |
| ERROR        | 17             | 13.0               |
+--------------+----------------+--------------------+

Example 2: Using weighted moving average for recent-biased trends

The following query calculates a weighted moving average, which gives more weight to recent values:

source=otellogs
| sort `@timestamp`
| trendline wma(3, severityNumber) as wma_trend
| fields severityText, severityNumber, wma_trend
| head 6

The query returns the following results:

fetched rows / total rows = 6/6
+--------------+----------------+--------------------+
| severityText | severityNumber | wma_trend          |
|--------------+----------------+--------------------|
| INFO         | 9              | null               |
| INFO         | 9              | null               |
| WARN         | 13             | 11.0               |
| ERROR        | 17             | 14.333333333333334 |
| DEBUG        | 5              | 10.333333333333334 |
| ERROR        | 17             | 13.0               |
+--------------+----------------+--------------------+

Limitations

The trendline command has the following limitations:

  • The trendline command requires all values in the specified <field> parameter to be non-null. Any rows with null values in this field are automatically excluded from the command's output.