Dashboards & Visualizations

Two predictions (Day and Night) in one report

maryambagherik
Explorer

Hello Splunk community,

I need to do one prediction for two different time ranges in different span in one report.
The objective is making alert on the prediction of rate of messages: 1- from 5 am to10pm (span=10min) and 2- from 10pm to 5am (span=20 min).

It can be really easy, but as I'm new to Splunk, I couldn't find a proper way for it.

My base query is:

|tstats latest(msg) as msg where `sws_logs_indexes` sourcetype=sws:sag:msgpartners host="p*" mp_name="Bessserver*" sag_instance="*SAG12" by _time sag_instance mp_name span=10m
| stats sum(msg) as msg by _time sag_instance
| streamstats current=false latest(msg) as previous_msg by sag_instance
| eval rate=msg-previous_msg
| timechart span=10m avg(rate) as "Server msg rate"

| predict "Server msg rate" as prediction algorithm=LLP5 holdback=0 future_timespan=0 period=1008 upper75=upper75 lower75=lower75
|`forecastviz(24, 0, "Server msg rate", 75)`

| eval isOutlier = if(prediction!="" AND 'Server msg rate' != "" AND ('Server msg rate' < 'lower75(prediction)' OR 'Server msg rate' > 'upper75(prediction)'), 1, 0) | where isOutlier=1 |table _time,isOutlier

Labels (2)
Tags (4)
0 Karma
1 Solution

to4kawa
Ultra Champion

 

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

 

View solution in original post

maryambagherik
Explorer

Append doesn't work, as I have tstats command, and this command should be the first command, then in the 2nd search it returns an error. 
Then Append doesn't work in realtime well, and as I have prediction in my search....

Do you have any other suggestion or example?

Further, for the time mentioning in each search i do sth like: WHERE ((earliest=-24h latest<@d) OR (earliest>=@d+1h)), it returns 0 results, however it shouldn't be 0

0 Karma

to4kawa
Ultra Champion

 

 

sample:

| tstats count where index=_internal earliest=0 latest=-1w@w by _time span=1h
| eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week"]
| timechart avg(count) by status

 

> append doesn't work

Have you tried it?

0 Karma

maryambagherik
Explorer

I could use append, without prediction command, it works.
But how about its visualization? how can i define two different colours for two searches?

Now i see the results of 2nd search after append in the same col as the 1st search (span=10m), is there anyway to see the second search (span=20) in separate col?

 

Further, When i do prediction, then again append doesn't work results for the 2nd search. Do you know why?

Thanks

0 Karma

to4kawa
Ultra Champion

 

| tstats count where index=_internal earliest=-2w@w latest=-1w@w by _time span=1h | eval status="last_week"
| append [ | tstats count where index=_internal earliest=-1w@w by _time span=1h | eval status="current_week" ]
| makecontinuous _time span=1h
| filldown count status
| xyseries _time status count
| bin span=1d _time
| stats avg(*) as * by _time
| predict current_week last_week
| where match(_time,"^\d+$")

 

to4kawa
Ultra Champion

please use append with two search.

maryambagherik
Explorer

You imagine very simple search like:

|index=*
| timechart span=10 min count as "Errors" (from 5am to 10 pm)

|predict "Errors"

|index=*

| timechart span=20 min count as "Errors" (from 10pm to 5am)

|predict "Errors"

How can I do such a search in one search?

is it possible in splunk two time spans for one search?

0 Karma

to4kawa
Ultra Champion

We don't understand anything even if you only give us SPL.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...