Solved: Re: How do I make a predict function more aggressi...

HattrickNZ · ‎03-22-2018

How do I make a predict function more aggressive?

Below is an example of my predict example, search and graph:
... | predict Total as predict future_timespan=12 holdback=0 | fields - upper* lower*

It is something I probably need to understand more of, and I am possibly entering the topic of polynomial or exponential types of growth. And maybe this is the case and the answer lies outside of predict.

Appreciate any advice/pointers to further reading/explanations on this.

Some useful questions i have been reading up on this:
how-to-create-a-search-to-predict-license-violation
prediction-function-algorithms-questions
predict-95-confidence-interval - good at explaining some basics
Predict Documentation

Note: I could use the upperX values, which would be more arressive(give me higher future values) but again I don't think this will be aggressive enough. maybe I need to look at the forecast option?

tks

cmerriman · ‎03-23-2018

if you try ARIMA, maybe try something like this:

| fit ARIMA _time Total order=0-2-7 forecast_k=12

https://docs.splunk.com/Documentation/MLApp/3.1.0/User/Algorithms#Time_Series_Analysis
you'll need the MLTK if you don't already have it.
https://splunkbase.splunk.com/app/2890/

View solution in original post

cmerriman · ‎03-23-2018

if you try ARIMA, maybe try something like this:

| fit ARIMA _time Total order=0-2-7 forecast_k=12

https://docs.splunk.com/Documentation/MLApp/3.1.0/User/Algorithms#Time_Series_Analysis
you'll need the MLTK if you don't already have it.
https://splunkbase.splunk.com/app/2890/

HattrickNZ · ‎03-25-2018

An idea of what I got when trying the following

... | fit ARIMA Total order=0-2-7 forecast_k=12
Error in 'fit' command: Error while fitting "ARIMA" model: The computed initial MA coefficients are not invertible. You should induce invertibility by choosing a different model order.

... |fit ARIMA Total order=0-2-0 forecast_k=12
Error in 'fit' command: Error while fitting "ARIMA" model: operands could not be broadcast together with shapes (88,) (0,) (88,)

... | fit ARIMA _time Total order=0-2-0 forecast_k=12

... | fit ARIMA _time Total order=3-1-1 forecast_k=12
I could get this to display something in the graph without errors, not sure of what is doing, but that is more reading up for me to do.

In the meantime could you try and briefly relate the 3 values order needs to my data/graph.
order needs three values:

Number of autoregressive (AR) parameters
Number of differencing operations (D)
Number of moving average (MA) Parameters

cmerriman · ‎03-26-2018

Hopefully i explain this right.

so the AR parameter uses past values for the time series. the p value assigned is how many holdback orders it'll use.
the D parameter simply subtracts the current and previous values together d number of times to basically make the time series stationary
the MA parameter represents is basically a moving average to account for error, the value assigned determines how many terms to include.

How do I make a predict function more aggressive?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

How do I make a predict function more aggressive?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform