Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I do a chart in splunk whereby I can forecast into the future?

HattrickNZ
Motivator
‎10-29-2012 03:34 PM

How do I do a chart in splunk whereby I can forecast into the future?

Hi there appreciate any help here. Coming from an excel perspective and trying to implement some graph I have in excel in splunk as I can see the value of splunk.
Appreciate any help!!

2 Examples graph 1 & 2 based on the below data

Graph1 has 8 known values (lets say Jan to Aug) and 4 unknown values(Sept to Dec). In this instance I have just used a forecast formula in excel to get the values for Sept to Dec and this would be shown in the graph.

Graph2 is the same but I would use a pivot chart in excel and add a trend line to forecast into the future

Date Device # limit #2
1/01/2012 A 1 10 1
1/02/2012 A 2 10 2
1/03/2012 A 3 10 3
1/04/2012 A 4 10 4
1/05/2012 A 5 10 5
1/06/2012 A 6 10 6
1/07/2012 A 7 10 7
1/08/2012 A 8 10 8
1/09/2012 A 9 10

1/10/2012 A 10 10

1/11/2012 A 11 10

1/12/2012 A 12 10

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-28-2012 01:52 PM

Splunk 5.0.* has a new magic command. predict and x11 that may be what you are looking for,

predict: This one is pretty cool - you can use it to predict (estimate bounds) future values of a variable/field
Ex. predict/estimate size of index=_internal 14 days out based on its last 30 days size. (can be very useful for capacity planing)
x11: helps one with accounting for seasonal patterns to understand the actual/real trend of a time series.

example :
index=_internal group="per_index_thruput" series=_internal earliest=-30d
| timechart sum(eval(kb/1024)) span=1d as size
| predict size algorithm=LLP future_timespan=14

see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Predict
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Aboutpredictiveanalytics
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/X11

Reply

bmgilmore
Path Finder
‎10-29-2012 04:36 PM

I think they are looking for an equivalent to excel's forecast, I've been looking for this as well, the ability to statistically project current trends into the future. Any ideas?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2012 04:20 PM

By default the latest time range is now, but you can change it,
example for a search going 4 days in the past to 8 days in the future.

earliest=-4d@d latest=+8d@d | timechart span=1d count by host

The behavior depends of the way your search define the timestamp (timechart or bucket _time ), you may have to define the missing fields if any.

0 Karma
Reply

HattrickNZ_2
Engager
‎11-28-2012 11:36 AM

wow, nearly posted this question again as I could not find it!!!

Anyhow, thanks yannK, That's the bit I got to my self with
index=X eventtype="Y" earliest=-90d@w1 latest=+90d@w1 | timechart span=1w max(Z) by Device

but the future values are blank, I want to somehow enter them with some forecast formula as in excel as bmgilmore states below

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...