Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Dashboards & Visualizations

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Plotting trendlines into the future

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mw

Splunk Employee

โ04-04-2011
09:40 PM

*n* days from now?

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mw

Splunk Employee

โ04-04-2011
09:56 PM

In order to do this we can start with 2 macros:

```
# macros.conf
[lineartrend(2)]
args = x, y
description = Develop a linear trendline against a data set
definition = eventstats count as numevents sum($x$) as sumX sum($y$) as sumY sum(eval($x$*$y$)) as sumXY sum(eval($x$*$x$)) as sumX2 sum(eval($y$*$y$)) as sumY2
| eval slope=((numevents*sumXY)-(sumX*sumY))/((numevents*sumX2)-(sumX*sumX))
| eval yintercept=(sumY-(slope*sumX))/numevents
| eval newY=(yintercept + (slope*$x$) - 5)
| eval R=((numevents*sumXY) - (sumX*sumY))/sqrt(((numevents*sumX2)-(sumX*sumX))*((numevents*sumY2)-(sumY*sumY)))
| eval R2=R*R
[extendtrend(2)]
args = newY, end
description = For use after something like lineartrend(2). Extend the trendline into the future.
definition = append [gentimes start=1 end=$end$ | rename starttime as _time | fields _time]
| delta $newY$ as newY_delta
| eventstats avg(newY_delta) as avg_newY_delta last($newY$) as lastY
| eval pred_accum=if(isnull($newY$), avg_newY_delta, 0)
| accum pred_accum
| eval newY=if(isnull($newY$), pred_accum + lastY, $newY$)
```

For the *lineartrend(2)* macro, you pass in the time field (x value) as well as the numerical value (y value) of the data which is being plotted (in this case the count of events). This will create a new numerical field called *newY* which will be the y values for the trendline. However, the new trendline will only be plotted until "now". In order to extend it into the future we'll use the *extendtrend(2)* macro. For this macro, you pass the newY field (y value to plot) as well as the number of days to project into the future. The x value (timeline) will be created using *gentimes*.

The final search will look like this and includes a high and low threshold in order to show the intersection of the trend:

```
sourcetype=syslog | timechart count
| `lineartrend(_time, count)`
| `extendtrend(newY, 7)`
| eval low_threshold=5000
| eval high_threshold=50000
| timechart values(count) as events values(newY) as linear_trend values(low_threshold) as low_threshold values(high_threshold) as high_threshold
```

The result should look something like this where the blue line is the plotted syslog event counts ending today, the yellow line is the trendline, which extends beyond today, and the high and low threshold lines:

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

whopper

Explorer

โ03-11-2014
01:03 PM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

cttorres

Explorer

โ08-10-2017
01:51 PM

Hi!

Can you give us an example please?

Thanks!

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

cpayne_satisnet

New Member

โ07-02-2012
09:49 AM

Thanks for this information it help me quite a bit, however I noticed that the extendtrend macro provided doesn't work properly unless you are searching with a bucket span of 1 day.

I used the following macro which gave me a more accurate picture.

[lineartrendextend(3)]

args = x, y, end

description = Extends lineartrend(2), x and y should match the args provided to lineartrend, end should be the number of days into the future you would like to extend the trend.

definition = append [ gentimes start=1 end=$end$ |rename starttime as _time | fields _time] |eventstats values(yintercept) as yintercept, values(slope) as slope, values(numevents) as numevents | eval newY=(yintercept + (slope * _time)) | fields _time, $y$, newY

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mw

Splunk Employee

โ04-04-2011
09:56 PM

In order to do this we can start with 2 macros:

```
# macros.conf
[lineartrend(2)]
args = x, y
description = Develop a linear trendline against a data set
definition = eventstats count as numevents sum($x$) as sumX sum($y$) as sumY sum(eval($x$*$y$)) as sumXY sum(eval($x$*$x$)) as sumX2 sum(eval($y$*$y$)) as sumY2
| eval slope=((numevents*sumXY)-(sumX*sumY))/((numevents*sumX2)-(sumX*sumX))
| eval yintercept=(sumY-(slope*sumX))/numevents
| eval newY=(yintercept + (slope*$x$) - 5)
| eval R=((numevents*sumXY) - (sumX*sumY))/sqrt(((numevents*sumX2)-(sumX*sumX))*((numevents*sumY2)-(sumY*sumY)))
| eval R2=R*R
[extendtrend(2)]
args = newY, end
description = For use after something like lineartrend(2). Extend the trendline into the future.
definition = append [gentimes start=1 end=$end$ | rename starttime as _time | fields _time]
| delta $newY$ as newY_delta
| eventstats avg(newY_delta) as avg_newY_delta last($newY$) as lastY
| eval pred_accum=if(isnull($newY$), avg_newY_delta, 0)
| accum pred_accum
| eval newY=if(isnull($newY$), pred_accum + lastY, $newY$)
```

For the *lineartrend(2)* macro, you pass in the time field (x value) as well as the numerical value (y value) of the data which is being plotted (in this case the count of events). This will create a new numerical field called *newY* which will be the y values for the trendline. However, the new trendline will only be plotted until "now". In order to extend it into the future we'll use the *extendtrend(2)* macro. For this macro, you pass the newY field (y value to plot) as well as the number of days to project into the future. The x value (timeline) will be created using *gentimes*.

The final search will look like this and includes a high and low threshold in order to show the intersection of the trend:

```
sourcetype=syslog | timechart count
| `lineartrend(_time, count)`
| `extendtrend(newY, 7)`
| eval low_threshold=5000
| eval high_threshold=50000
| timechart values(count) as events values(newY) as linear_trend values(low_threshold) as low_threshold values(high_threshold) as high_threshold
```

The result should look something like this where the blue line is the plotted syslog event counts ending today, the yellow line is the trendline, which extends beyond today, and the high and low threshold lines:

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

msarro

Builder

โ07-17-2013
01:53 PM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

rps462

Explorer

โ07-12-2012
10:50 AM

I'm not sure why this isn't working for me, I'm assuming it's because the search query provided above isn't meant to be used verbatim. I'm just not sure what to replace with what. This is the error I'm getting:

Error in 'eventstats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'sum(eval(count*count))'.

Linear

I have a field called 'action' and I'm trying to trend a certain action to see where it will be in the next month.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Dark_Ichigo

Builder

โ12-04-2011
03:58 PM