Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help on predict command usage in graph

kdimaria
Communicator
‎09-29-2017 10:09 AM

I have a trend graph that shows some data then its predicting out that data a couple days forward. However, The prediction starts when the normal data starts, when I would rather have the prediction start on the graph when there is no previous data. Basically attaching itself to the previous trendline and adding on with it's prediction. Is there a way to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2017 10:21 AM 
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎10-02-2017 09:20 AM

@kdimaria, if your intention is to distinguish prediction chart between current time span and future time span, you can try installing Machine Learning Toolkit app (https://splunkbase.splunk.com/app/2890/) which adds Forecast Chart visualization. As you can see the Current Time Series is highlighted in Red and Future Time Series in Blue, Current Confidence Interval in Orange and Future Confidence Interval in Green.

alt text

Refer to documentation for passing predict command parameters to forecastviz or modvizpredict macro: https://docs.splunk.com/Documentation/MLApp/latest/User/Customvisualizations#Forecast_Chart_.28Forec...

You can also refer to Forecast Time Series documentation on http://docs.splunk.com/Documentation/MLApp/latest/User/ForecastTimeSeries
Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎09-29-2017 10:21 AM 
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

Reply
Solved! Jump to solution

kdimaria
Communicator
‎10-02-2017 06:02 AM

@Sukisen1981 , This works but when I eval the predict field, it gets rid of the upper and lower limit possibilities. Is there a way to keep those in the graph as well?

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎10-03-2017 09:19 AM

Hi,

Yes, I get what you mean - high(pred) and low(pred) ae missing. However, try this :

timechart span=5min avg(p) as Act |predict Act AS pred algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act) |rename high(pred) AS X|fields _time,Act,X,pred

You will get X plotted as the high limit values.///apply same and rename low(pred) to Y .
Choose X and Y names as something like hmmm maybe - "High / Low Limit"
I use he MLTK app like @niketnilay is saying....

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...