Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use Historical Data to Establish Trends and Normalize Data

cpund
New Member
‎04-30-2019 11:07 AM

Perhaps I am using the term normalize wrong, but the following is essentially the gist of what I'm trying to do:

I've got wireless bandwidth usage data calculated for each building on campus, and I've created my own .kmz/.kml file with these building's boundaries defined. I've managed to plot the data to this map, so that alone I've got fully functioning. Now, I want to setup a 5 Point shading scale, where in the middle is good (green), and either end could be cause for concern (perhaps blue on the left side, red on the right). Is it possible to weigh each run's data against historical data, such as from the same day/time in the previous week(s), and for each building determine whether it is above the average or below the average before finally plotting this to my map?

Thanks for any insight in advance!

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-02-2019 01:42 AM

Hi there,

You can use the timewrap command to compare time series (no need for any apps). You can use something similar to this example to compare two weeks : 

index=bwusage  earliest=-14d@d latest=@d
| timechart span=1d count 
| timewrap 1w

This will pile up both chart on the same graph making it easy to compare and track anomalies.

Also the predict command can be helpful for creating upper and lower bounds and tracking what is normal and what is not.

In addition to that, and as tom mentioned MLTK can also be used if you want to take things further.

Cheers,
David

0 Karma
Reply

tom_frotscher
Builder
‎05-02-2019 01:13 AM

Hi,

there is an app on splunk base that should fit your needs. I havn't used it in a long time and the compatibility at splunk base says it is compatible up to splunk 6.5. Since it is basically a custom splunk search command it should work in current versions.

https://splunkbase.splunk.com/app/1645/

If you want to have a more flexible way to compare your historic data against current values, you should try and get a glimpse of the examples in the Splunk MLTK.

Greetings

Tom

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...