Splunk Search

Could I draw timechart with prediction line without "predict" command ?

Path Finder

Hi,
As. title.
I know I could use "predict" command to predict the value of my data.
But I have some data which are coming from "R" script, and already have prediction value in it.

How could I draw the timechart digram with prediction line by timechart command for those data ?
( attached picture for example )

alt text

0 Karma
1 Solution

SplunkTrust
SplunkTrust

In Splunk you can get close to above visualization using Chart Overlays and charting.lineDashStyle . However, for applying Dash line style you will have to change the graph to Area or Column (not line chart or your main field will also pick the same style)

Step 1
If you have got the three fields (field1, field2, field3) to plot the series, you can feed them to timechart for example

 <your base search>
| timechart sum(field1) as PredictField sum(field2) as Upper95 sum(field3) as Lower95

(Above is just an example, you should use field names and statistical command according to your need.)

Step 2
You then edit the Chart and change Upper95 and Lower95 fields as overlayFields by editing Chart Panel or through Simple XML

 <option name="charting.chart.overlayFields">Upper95,Lower95</option>

Step 3
Finally, add the charting.lineDashstyle option in Simple XML by editing the source.

  <option name="charting.lineDashStyle">shortDash</option>

Refer to Charting reference for lineDashStyle property: http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

In Splunk you can get close to above visualization using Chart Overlays and charting.lineDashStyle . However, for applying Dash line style you will have to change the graph to Area or Column (not line chart or your main field will also pick the same style)

Step 1
If you have got the three fields (field1, field2, field3) to plot the series, you can feed them to timechart for example

 <your base search>
| timechart sum(field1) as PredictField sum(field2) as Upper95 sum(field3) as Lower95

(Above is just an example, you should use field names and statistical command according to your need.)

Step 2
You then edit the Chart and change Upper95 and Lower95 fields as overlayFields by editing Chart Panel or through Simple XML

 <option name="charting.chart.overlayFields">Upper95,Lower95</option>

Step 3
Finally, add the charting.lineDashstyle option in Simple XML by editing the source.

  <option name="charting.lineDashStyle">shortDash</option>

Refer to Charting reference for lineDashStyle property: http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma