All Apps and Add-ons

How to forecast multiple time series from one search ?

EvaRex
Engager

Hello!

I'm really new to Splunk's Machine Learning Toolkit, so any help would be greatly appreciated. Thank you.

I'm trying to forecast time series for multiple apps in my query. My current query is:

index=... report=1min_rollup app="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:11:00:00" | stats sum(COUNT) as sum_count by _time,app | stats avg(sum_count) as avgCount by _time, app | bin _time span=5m | eval time=_time%3600 stats values(avgCount ) by _time, State | outputlookup eg.csv

This gives me the lookup table eg.csv which looks like:

 _time |app|  avgCount
 ...

Now, I want to forecast the avgCount of all the apps on seperate time series. How can I generate multiple forecasted time series (one forecasted time series per app) from the search that I do have right now???

Thank you! Your help is greatly appreciated!

0 Karma

nryabykh
Path Finder

Hello!

If you don't know the exact number and names of apps, you can do smth like that:

| inputlookup eg.csv 
| dedup app 
| map search=" | inputlookup eg.csv | search app=$app$ | timechart span=5min avg(avgCount) as avgCount | predict avgCount future_timespan=10 | eval app=$app$ "
| table _time, avgCount, "prediction(avgCount)", app
| xyseries _time, app, "prediction(avgCount)"

Map command will perform quoted search for every row of table after dedup.

Actually, I'm not sure that I totally understand your initial search. For example, it seems that this part stats avg(sum_count) as avgCount by _time, app is useless, because you have already had rows grouped by _time and app after stats sum(COUNT) as sum_count by _time,app. And this part stats values(avgCount ) by _time, State return nothing, because there is no 'State' field in the results of previous stats.

0 Karma

Suhailahmed648
Engager

Is there any other way, without using 'Map' command?
It is very high resource consuming.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...