Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I do a chart in splunk whereby I can forecast into the future?

HattrickNZ
Motivator
‎10-29-2012 03:34 PM

How do I do a chart in splunk whereby I can forecast into the future?

Hi there appreciate any help here. Coming from an excel perspective and trying to implement some graph I have in excel in splunk as I can see the value of splunk.
Appreciate any help!!

2 Examples graph 1 & 2 based on the below data

Graph1 has 8 known values (lets say Jan to Aug) and 4 unknown values(Sept to Dec). In this instance I have just used a forecast formula in excel to get the values for Sept to Dec and this would be shown in the graph.

Graph2 is the same but I would use a pivot chart in excel and add a trend line to forecast into the future

Date Device # limit #2
1/01/2012 A 1 10 1
1/02/2012 A 2 10 2
1/03/2012 A 3 10 3
1/04/2012 A 4 10 4
1/05/2012 A 5 10 5
1/06/2012 A 6 10 6
1/07/2012 A 7 10 7
1/08/2012 A 8 10 8
1/09/2012 A 9 10

1/10/2012 A 10 10

1/11/2012 A 11 10

1/12/2012 A 12 10

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-28-2012 01:52 PM

Splunk 5.0.* has a new magic command. predict and x11 that may be what you are looking for,

predict: This one is pretty cool - you can use it to predict (estimate bounds) future values of a variable/field
Ex. predict/estimate size of index=_internal 14 days out based on its last 30 days size. (can be very useful for capacity planing)
x11: helps one with accounting for seasonal patterns to understand the actual/real trend of a time series.

example :
index=_internal group="per_index_thruput" series=_internal earliest=-30d
| timechart sum(eval(kb/1024)) span=1d as size
| predict size algorithm=LLP future_timespan=14

see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Predict
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Aboutpredictiveanalytics
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/X11

Reply

bmgilmore
Path Finder
‎10-29-2012 04:36 PM

I think they are looking for an equivalent to excel's forecast, I've been looking for this as well, the ability to statistically project current trends into the future. Any ideas?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2012 04:20 PM

By default the latest time range is now, but you can change it,
example for a search going 4 days in the past to 8 days in the future.

earliest=-4d@d latest=+8d@d | timechart span=1d count by host

The behavior depends of the way your search define the timestamp (timechart or bucket _time ), you may have to define the missing fields if any.

0 Karma
Reply

HattrickNZ_2
Engager
‎11-28-2012 11:36 AM

wow, nearly posted this question again as I could not find it!!!

Anyhow, thanks yannK, That's the bit I got to my self with
index=X eventtype="Y" earliest=-90d@w1 latest=+90d@w1 | timechart span=1w max(Z) by Device

but the future values are blank, I want to somehow enter them with some forecast formula as in excel as bmgilmore states below

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...