I need to do one prediction for two different time ranges in different span in one report. The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min).
It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it.
My base query is:
|tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m | stats sum(msg) as msg by _time sag_instance | streamstats current=false latest(msg) as previous_msg by sag_instance | eval rate=msg-previous_msg | timechart span=10m avg(rate) as "Server msg rate"