Solved: Two predictions (Day and Night) in one report

maryambagherik · ‎12-29-2020

Hello Splunk community,

I need to do one prediction for two different time ranges in different span in one report.
The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min).

It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it.

My base query is:

|tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m
| stats sum(msg) as msg by _time sag_instance
| streamstats current=false latest(msg) as previous_msg by sag_instance
| eval rate=msg-previous_msg
| timechart span=10m avg(rate) as "Server msg rate"

| predict "Server msg rate" as prediction algorithm=LLP5 holdback=0 future_timespan=0 period=1008 upper75=upper75 lower75=lower75
|`forecastviz(24, 0, "Server msg rate", 75)`

| eval isOutlier = if(prediction!="" AND 'Server msg rate' != "" AND ('Server msg rate' < 'lower75(prediction)' OR 'Server msg rate' > 'upper75(prediction)'), 1, 0) | where isOutlier=1 |table _time,isOutlier

to4kawa · ‎12-29-2020

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

View solution in original post

maryambagherik · ‎12-29-2020

Append doesn't work, as I have tstats command, and this command should be the first command, then in the 2nd search it returns an error.
Then Append doesn't work in realtime well, and as I have prediction in my search....

Do you have any other suggestion or example?

Further, for the time mentioning in each search i do sth like: WHERE ((earliest=-24h latest<@d) OR (earliest>=@d+1h)), it returns 0 results, however it shouldn't be 0

to4kawa · ‎12-29-2020

sample:

| tstats count where index=_internal earliest=0 latest=-1w@w by _time span=1h
| eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week"]
| timechart avg(count) by status

> append doesn't work

Have you tried it?

maryambagherik · ‎12-29-2020

I could use append, without prediction command, it works.
But how about its visualization? how can i define two different colours for two searches?

Now i see the results of 2nd search after append in the same col as the 1st search (span=10m), is there anyway to see the second search (span=20) in separate col?

Further, When i do prediction, then again append doesn't work results for the 2nd search. Do you know why?

Thanks

to4kawa · ‎12-29-2020

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

to4kawa · ‎12-29-2020

please use append with two search.

maryambagherik · ‎12-29-2020

You imagine very simple search like:

|index=*
| timechart span=10 min count as "Errors" (from 5am to 10 pm)

|predict "Errors"

|index=*

| timechart span=20 min count as "Errors" (from 10pm to 5am)

|predict "Errors"

How can I do such a search in one search?

is it possible in splunk two time spans for one search?

to4kawa · ‎12-29-2020

We don't understand anything even if you only give us SPL.

Two predictions (Day and Night) in one report

chart

timechart

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes