Splunk Search

Need help on predict command usage in graph

kdimaria
Communicator

I have a trend graph that shows some data then its predicting out that data a couple days forward. However, The prediction starts when the normal data starts, when I would rather have the prediction start on the graph when there is no previous data. Basically attaching itself to the previous trendline and adding on with it's prediction. Is there a way to do this?

0 Karma
1 Solution

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

View solution in original post

niketn
Legend

@kdimaria, if your intention is to distinguish prediction chart between current time span and future time span, you can try installing Machine Learning Toolkit app (https://splunkbase.splunk.com/app/2890/) which adds Forecast Chart visualization. As you can see the Current Time Series is highlighted in Red and Future Time Series in Blue, Current Confidence Interval in Orange and Future Confidence Interval in Green.

alt text

Refer to documentation for passing predict command parameters to forecastviz or modvizpredict macro: https://docs.splunk.com/Documentation/MLApp/latest/User/Customvisualizations#Forecast_Chart_.28Forec...

You can also refer to Forecast Time Series documentation on http://docs.splunk.com/Documentation/MLApp/latest/User/ForecastTimeSeries
Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

kdimaria
Communicator

@Sukisen1981 , This works but when I eval the predict field, it gets rid of the upper and lower limit possibilities. Is there a way to keep those in the graph as well?

0 Karma

Sukisen1981
Champion

Hi,

Yes, I get what you mean - high(pred) and low(pred) ae missing. However, try this :

timechart span=5min avg(p) as Act |predict Act AS pred algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act) |rename high(pred) AS X|fields _time,Act,X,pred

You will get X plotted as the high limit values.///apply same and rename low(pred) to Y .
Choose X and Y names as something like hmmm maybe - "High / Low Limit"
I use he MLTK app like @niketnilay is saying....

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...