topic Re: Two predictions (Day and Night) in one report in Dashboards & Visualizations

Two predictions (Day and Night) in one report

maryambagherik — Tue, 29 Dec 2020 10:23:37 GMT

Hello Splunk community,

I need to do one prediction for two different time ranges in different span in one report.
The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min).

It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it.

My base query is:

|tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m
| stats sum(msg) as msg by _time sag_instance
| streamstats current=false latest(msg) as previous_msg by sag_instance
| eval rate=msg-previous_msg
| timechart span=10m avg(rate) as "Server msg rate"

| predict "Server msg rate" as prediction algorithm=LLP5 holdback=0 future_timespan=0 period=1008 upper75=upper75 lower75=lower75
|`forecastviz(24, 0, "Server msg rate", 75)`

| eval isOutlier = if(prediction!="" AND 'Server msg rate' != "" AND ('Server msg rate' < 'lower75(prediction)' OR 'Server msg rate' > 'upper75(prediction)'), 1, 0) | where isOutlier=1 |table _time,isOutlier

Re: Two predictions (Day and Night) in one report

to4kawa — Tue, 29 Dec 2020 10:39:59 GMT

We don't understand anything even if you only give us SPL.

Re: Two predictions (Day and Night) in one report

maryambagherik — Tue, 29 Dec 2020 11:18:12 GMT

You imagine very simple search like:

|index=*
| timechart span=10 min count as "Errors" (from 5am to 10 pm)

|predict "Errors"

|index=*

| timechart span=20 min count as "Errors" (from 10pm to 5am)

|predict "Errors"

How can I do such a search in one search?

is it possible in splunk two time spans for one search?

Re: Two predictions (Day and Night) in one report

to4kawa — Tue, 29 Dec 2020 11:19:52 GMT

please use append with two search.

Re: Two predictions (Day and Night) in one report

maryambagherik — Tue, 29 Dec 2020 12:29:09 GMT

Append doesn't work, as I have tstats command, and this command should be the first command, then in the 2nd search it returns an error.
Then Append doesn't work in realtime well, and as I have prediction in my search....

Do you have any other suggestion or example?

Further, for the time mentioning in each search i do sth like: WHERE ((earliest=-24h latest<@d) OR (earliest>=@d+1h)), it returns 0 results, however it shouldn't be 0

Re: Two predictions (Day and Night) in one report

to4kawa — Tue, 29 Dec 2020 14:34:19 GMT

sample:

> append doesn't work

Have you tried it?

Re: Two predictions (Day and Night) in one report

maryambagherik — Tue, 29 Dec 2020 15:36:39 GMT

I could use append, without prediction command, it works.
But how about its visualization? how can i define two different colours for two searches?

Now i see the results of 2nd search after append in the same col as the 1st search (span=10m), is there anyway to see the second search (span=20) in separate col?

Further, When i do prediction, then again append doesn't work results for the 2nd search. Do you know why?

Thanks

Re: Two predictions (Day and Night) in one report

to4kawa — Tue, 29 Dec 2020 21:48:13 GMT