Solved: draw a theshold line with predict

ilya_resh · ‎12-18-2019

HI,
I have a graph that draws capacity and utilisation and predicts utilisation into the future.
I want to draw a threshold line for capacity , but the threshold's could to be either
- the latest value of the capacity, i.e straight line across the graph
- the value of the capacity at the point of time , but no prediction to the future

I am fine with either option as I just want to see when the predicted utilisation will "cross" the capacity threshold

The threshold should be calculated, as I don't want to update the search/graph every time we change the capacity

here is what i have, but as mentioned I want the threshold not to be predicted

index=_introspection (host=idx*) component=Partitions 
| spath output=capacity path=data.capacity 
| spath output=available path=data.available 
| eval utilised=(capacity - available) / 1024 , capacity = capacity/ 1024
| search *cold 
| timechart span=1h max(utilised) as utilised_max p95(utilised) as utilised_p95 last(capacity) as capacity limit=100 
| predict utilised_max as predict_max utilised_p95 as predict_p95 capacity as capacity future_timespan=168 
| fields - upper95* lower95*

Thanks

niketn · ‎12-19-2019

[UPDATED ANSWER] Move the | filldown Threshold to after the predict command. Refer to updated answer below. Alternatively as suggested you can also change the chart Format to treat Null Values as connected. This is like applying filldown to all the series in the chart.

@ilya_resh before prediction threshold, in order to improve your searh performance, you should move *cold to the main search instead of | search *cold.

Before the timechart command use eventstats to get the latest capacity as Threshold.
After timechart you can use filldown command to draw the threshold line throughout (you can also use chart options for null values through dashboard edit option for the chart as well.)

Please try out and confirm!

index=_introspection (host=*) component=Partitions "*cold"
| spath output=capacity path=data.capacity 
| spath output=available path=data.available 
| eval utilised=(capacity - available) / 1024 , capacity = capacity/ 1024 
| eventstats latest(capacity) as Threshold
| timechart span=1h latest(Threshold) as Threshold max(utilised) as utilised_max p95(utilised) as utilised_p95 last(capacity) as capacity limit=100
| predict utilised_max as predict_max utilised_p95 as predict_p95 capacity as capacity future_timespan=168 
| filldown Threshold
| fields - upper95* lower95*

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

ilya_resh · ‎12-19-2019

Hi @niketnilay
Here is the result

You will see that the Threshold line ends at the current time point, but I want it to go all the way till the end of the predicted time period so that I can see when the predicted utilisation will cross the Threshold line.

niketn · ‎12-19-2019

Thanks for the details. Please refer to updated answer below. All you need is to move the filldown command below predict.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎12-19-2019

[UPDATED ANSWER] Move the | filldown Threshold to after the predict command. Refer to updated answer below. Alternatively as suggested you can also change the chart Format to treat Null Values as connected. This is like applying filldown to all the series in the chart.

@ilya_resh before prediction threshold, in order to improve your searh performance, you should move *cold to the main search instead of | search *cold.

Before the timechart command use eventstats to get the latest capacity as Threshold.
After timechart you can use filldown command to draw the threshold line throughout (you can also use chart options for null values through dashboard edit option for the chart as well.)

Please try out and confirm!

index=_introspection (host=*) component=Partitions "*cold"
| spath output=capacity path=data.capacity 
| spath output=available path=data.available 
| eval utilised=(capacity - available) / 1024 , capacity = capacity/ 1024 
| eventstats latest(capacity) as Threshold
| timechart span=1h latest(Threshold) as Threshold max(utilised) as utilised_max p95(utilised) as utilised_p95 last(capacity) as capacity limit=100
| predict utilised_max as predict_max utilised_p95 as predict_p95 capacity as capacity future_timespan=168 
| filldown Threshold
| fields - upper95* lower95*

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ilya_resh · ‎12-19-2019

Hi @niketnilay
Here is the result

You will see that the Threshold line ends at the current time point, but I want it to go all the way till the end of the predicted time period so that I can see when the predicted utilisation will cross the Threshold line.

(had to post it as answer, as can't attach files from drive in comments)

ilya_resh · ‎12-19-2019

Moving filldown to after the predict worked like magic, thank you very much @niketnilay

niketn · ‎12-19-2019

Sure. Once you post image as answer, you can convert the same to comment. I have done that for you! Please try the updated answer and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

draw a theshold line with predict

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!