Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Exponential Smoothing Implementation in Splunk

samsplunkd
Path Finder
‎01-02-2013 02:59 PM

Hi,

I am planning to implement exponential smoothing in Splunk based on below formula where
s1 is the forecasted value. At time t=0, it is equal to first event. For time=t, it is calculated based on below formula. I can hard code value for "alpha".

s1=x0
s{t}=[alpha * x{t-1}] + [(1-alpha)s{t-1}], t>1

For time=t, it is referring to previously calculated forecast value (s{t-1}) and previous event value (x{t-1}) so not sure how this can be achieved using Splunk.
Say the log data is like below and "total" is the field which needs to be used(x{t}) to calcuate forecasted value(s{t}). I know there will be a field named "total" created which contains all the values but is there a way I can refer to say first value in field "total" like total0 which will be equal to 4, total[1] which will be equal to 6?

1/2/13 2:30:00.000 PM total=4
1/2/13 2:31:00.000 PM total=6
1/2/13 2:32:00.000 PM total=8
1/2/13 2:33:00.000 PM total=10

Any help is greatly appreciated.

0 Karma
Reply

jonuwz
Influencer
‎01-03-2013 03:11 AM

The trick here is to make all the data required for the calculation in the current event.

Looking at the formula, it only relies on the previous value of x and the previous value of s.

You can pull the previous value of a field into the current event like this :

... | streamstats window=1 current=f total as prev_total

so now you have access to x{t} and x{t-1} in the event. ( total and prev_total fields respectively)

You'll also need to pre-populat the 1st valid value of s, then you can use the above method to 'stream' the previous value of s into the current event to calculate s{t}

Reply

yannK
Splunk Employee
Splunk Employee
‎01-02-2013 07:18 PM

To do a cumulative total in a new field, take a look at the function eventstats.
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Eventstats

and maybe too at the function predict that may already do what you want.
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Predict

0 Karma
Reply

samsplunkd
Path Finder
‎01-03-2013 12:05 AM

Thanks for the reply But my requirement is little different. This formula expects values from previous calculated results so I would like to know if there is a way I can refer to field values separately like arrays as specified in my question above.

s{t}=[alpha * x{t-1}] + [(1-alpha)s{t-1}], t>1

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...