Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use Historical Data to Establish Trends and Normalize Data

cpund
New Member
‎04-30-2019 11:07 AM

Perhaps I am using the term normalize wrong, but the following is essentially the gist of what I'm trying to do:

I've got wireless bandwidth usage data calculated for each building on campus, and I've created my own .kmz/.kml file with these building's boundaries defined. I've managed to plot the data to this map, so that alone I've got fully functioning. Now, I want to setup a 5 Point shading scale, where in the middle is good (green), and either end could be cause for concern (perhaps blue on the left side, red on the right). Is it possible to weigh each run's data against historical data, such as from the same day/time in the previous week(s), and for each building determine whether it is above the average or below the average before finally plotting this to my map?

Thanks for any insight in advance!

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-02-2019 01:42 AM

Hi there,

You can use the timewrap command to compare time series (no need for any apps). You can use something similar to this example to compare two weeks : 

index=bwusage  earliest=-14d@d latest=@d
| timechart span=1d count 
| timewrap 1w

This will pile up both chart on the same graph making it easy to compare and track anomalies.

Also the predict command can be helpful for creating upper and lower bounds and tracking what is normal and what is not.

In addition to that, and as tom mentioned MLTK can also be used if you want to take things further.

Cheers,
David

0 Karma
Reply

tom_frotscher
Builder
‎05-02-2019 01:13 AM

Hi,

there is an app on splunk base that should fit your needs. I havn't used it in a long time and the compatibility at splunk base says it is compatible up to splunk 6.5. Since it is basically a custom splunk search command it should work in current versions.

https://splunkbase.splunk.com/app/1645/

If you want to have a more flexible way to compare your historic data against current values, you should try and get a glimpse of the examples in the Splunk MLTK.

Greetings

Tom

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...