Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use Historical Data to Establish Trends and Normalize Data

cpund
New Member
‎04-30-2019 11:07 AM

Perhaps I am using the term normalize wrong, but the following is essentially the gist of what I'm trying to do:

I've got wireless bandwidth usage data calculated for each building on campus, and I've created my own .kmz/.kml file with these building's boundaries defined. I've managed to plot the data to this map, so that alone I've got fully functioning. Now, I want to setup a 5 Point shading scale, where in the middle is good (green), and either end could be cause for concern (perhaps blue on the left side, red on the right). Is it possible to weigh each run's data against historical data, such as from the same day/time in the previous week(s), and for each building determine whether it is above the average or below the average before finally plotting this to my map?

Thanks for any insight in advance!

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-02-2019 01:42 AM

Hi there,

You can use the timewrap command to compare time series (no need for any apps). You can use something similar to this example to compare two weeks : 

index=bwusage  earliest=-14d@d latest=@d
| timechart span=1d count 
| timewrap 1w

This will pile up both chart on the same graph making it easy to compare and track anomalies.

Also the predict command can be helpful for creating upper and lower bounds and tracking what is normal and what is not.

In addition to that, and as tom mentioned MLTK can also be used if you want to take things further.

Cheers,
David

0 Karma
Reply

tom_frotscher
Builder
‎05-02-2019 01:13 AM

Hi,

there is an app on splunk base that should fit your needs. I havn't used it in a long time and the compatibility at splunk base says it is compatible up to splunk 6.5. Since it is basically a custom splunk search command it should work in current versions.

https://splunkbase.splunk.com/app/1645/

If you want to have a more flexible way to compare your historic data against current values, you should try and get a glimpse of the examples in the Splunk MLTK.

Greetings

Tom

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...