Solved: Two predictions (Day and Night) in one report

maryambagherik · ‎12-29-2020

Hello Splunk community,

I need to do one prediction for two different time ranges in different span in one report.
The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min).

It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it.

My base query is:

|tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m
| stats sum(msg) as msg by _time sag_instance
| streamstats current=false latest(msg) as previous_msg by sag_instance
| eval rate=msg-previous_msg
| timechart span=10m avg(rate) as "Server msg rate"

| predict "Server msg rate" as prediction algorithm=LLP5 holdback=0 future_timespan=0 period=1008 upper75=upper75 lower75=lower75
|`forecastviz(24, 0, "Server msg rate", 75)`

| eval isOutlier = if(prediction!="" AND 'Server msg rate' != "" AND ('Server msg rate' < 'lower75(prediction)' OR 'Server msg rate' > 'upper75(prediction)'), 1, 0) | where isOutlier=1 |table _time,isOutlier

to4kawa · ‎12-29-2020

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

View solution in original post

maryambagherik · ‎12-29-2020

Append doesn't work, as I have tstats command, and this command should be the first command, then in the 2nd search it returns an error.
Then Append doesn't work in realtime well, and as I have prediction in my search....

Do you have any other suggestion or example?

Further, for the time mentioning in each search i do sth like: WHERE ((earliest=-24h latest<@d) OR (earliest>=@d+1h)), it returns 0 results, however it shouldn't be 0

to4kawa · ‎12-29-2020

sample:

| tstats count where index=_internal earliest=0 latest=-1w@w by _time span=1h
| eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week"]
| timechart avg(count) by status

> append doesn't work

Have you tried it?

maryambagherik · ‎12-29-2020

I could use append, without prediction command, it works.
But how about its visualization? how can i define two different colours for two searches?

Now i see the results of 2nd search after append in the same col as the 1st search (span=10m), is there anyway to see the second search (span=20) in separate col?

Further, When i do prediction, then again append doesn't work results for the 2nd search. Do you know why?

Thanks

to4kawa · ‎12-29-2020

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

to4kawa · ‎12-29-2020

please use append with two search.

maryambagherik · ‎12-29-2020

You imagine very simple search like:

|index=*
| timechart span=10 min count as "Errors" (from 5am to 10 pm)

|predict "Errors"

|index=*

| timechart span=20 min count as "Errors" (from 10pm to 5am)

|predict "Errors"

How can I do such a search in one search?

is it possible in splunk two time spans for one search?

to4kawa · ‎12-29-2020

We don't understand anything even if you only give us SPL.

Two predictions (Day and Night) in one report

chart

timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor