Skip to main content
Sumo Logic

backshift

The backshift operator compares values as they change over time. Backshift can be used with rollingstdsmooth, or any other operators whose results could be affected by spikes of data (where a spike could possibly throw off future results).

It's important to note that backshift doesn't automatically add timeslices, nor does it do any sorting. You can manually add other operators in the query to add timeslices, for example, and any kind of sorting you'd like to include. To add time-series analysis, add _timeslice | ... | sort + _timeslice before the backshift operator in the query.

Syntax:

  • ... backshift field [, shift_length]

Rules:

  • An alias for backshift is optional. When an alias is not provided, _backshift is the default alias.
  • Specified fields must contain numeric values.
  • To add a query that includes a backshift operator to a Dashboard, you must add a group by function before the backshift operator.
  • The default window length is 10.
  • The maximum window length is 1000.

Examples:

Use backshift to see the difference of fields between time points, grouped by source host.

Running a query such as:

_sourcecategory=katta 
| timeslice by 1m 
| count by _timeslice,_sourcehost 
| sort + _timeslice 
| backshift _count,1 by _sourcehost

produces results like:

backshift_new_table.png

Then you can visualize the results as an area chart.

backshift_new_graph.png

Use backshift to see the difference of a field between time points.

Running a query like:

* | parse "bytes: '*'" as bytes 
| timeslice 1m 
| sum(bytes) as bytes by _timeslice 
| sort _timeslice 
| backshift bytes, 5

produces results similar to:

backshift_table.png

Note that the results reflect the defined shift length of 5. These same results can be viewed graphically as:

backshift_graph.png

Use backshift with smooth and rollingstd to view the averages of incoming bytes.

Running a query like:

...
| timeslice by 1m| avg(oneMinuteRate) as avgRateByHost by _sourcehost,_timeslice
| sum(avgratebyhost) as totalIncomingRate by _timeslice
| sort + _timeslice
| backshift totalIncomingRate, 1 as lagRate
| smooth lagRate,10 as movingAvg
| rollingstd lagRate,10 as rollingStd
| movingAvg + (3 * rollingStd) as upper
| movingAvg - (3 * rollingStd) as lower

produces results similar to: