Splunk Search

Can you help me with some predictive analytics for the current month?

joydeep741
Path Finder

I want to forecast future values of a field.

_time TOTAL
01-07-2018 200
01-08-2018 220
01-09-2018 280
01-10-2018 180
01-11-2018 190
01-12-2018 80
alt text
In my Splunk Query I have used index= abc | timechart span =1mon count as TOTAL | predict TOTAL

But since Dec month is not yet complete (still 13 days left) then why the PREDICT line says 80 as the predicted value for Dec.

I want to show the correct prediction for the current month.

0 Karma

niketn
Legend

@joydeep741 please test with holdback=1 which implies the latest data point will not be used for prediction. In other words prediction would be from current month onward.

 | predict TOTAL holdback=1

Please refer to the Splunk Documentation to understand each of arguments for predict command. You can also try out Splunk Machine Learning Toolkit to Forecast Time Series data and read about Space State method using Kalman Filter which is applied in the predict command.

Following is a run anywhere example:

| makeresults 
| eval data="01-01-2018 90;01-02-2018 110;01-03-2018 120;01-04-2018 130;01-05-2018 140;01-05-2018 140;01-06-2018 240;01-07-2018 200;01-08-2018 220;01-09-2018 280;01-10-2018 180;01-11-2018 190;01-12-2018 80" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval _time=strptime(mvindex(data,0),"%d-%m-%Y"), count=mvindex(data,1) 
| fields - data 
| timechart span=1mon sum(count) as count 
| predict count algorithm=LLP5 holdback=1 future_timespan=3 upper95=upper lower95=lower
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...