Splunk Search

Need help on predict command usage in graph

kdimaria
Communicator

I have a trend graph that shows some data then its predicting out that data a couple days forward. However, The prediction starts when the normal data starts, when I would rather have the prediction start on the graph when there is no previous data. Basically attaching itself to the previous trendline and adding on with it's prediction. Is there a way to do this?

0 Karma
1 Solution

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

View solution in original post

niketn
Legend

@kdimaria, if your intention is to distinguish prediction chart between current time span and future time span, you can try installing Machine Learning Toolkit app (https://splunkbase.splunk.com/app/2890/) which adds Forecast Chart visualization. As you can see the Current Time Series is highlighted in Red and Future Time Series in Blue, Current Confidence Interval in Orange and Future Confidence Interval in Green.

alt text

Refer to documentation for passing predict command parameters to forecastviz or modvizpredict macro: https://docs.splunk.com/Documentation/MLApp/latest/User/Customvisualizations#Forecast_Chart_.28Forec...

You can also refer to Forecast Time Series documentation on http://docs.splunk.com/Documentation/MLApp/latest/User/ForecastTimeSeries
Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

kdimaria
Communicator

@Sukisen1981 , This works but when I eval the predict field, it gets rid of the upper and lower limit possibilities. Is there a way to keep those in the graph as well?

0 Karma

Sukisen1981
Champion

Hi,

Yes, I get what you mean - high(pred) and low(pred) ae missing. However, try this :

timechart span=5min avg(p) as Act |predict Act AS pred algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act) |rename high(pred) AS X|fields _time,Act,X,pred

You will get X plotted as the high limit values.///apply same and rename low(pred) to Y .
Choose X and Y names as something like hmmm maybe - "High / Low Limit"
I use he MLTK app like @niketnilay is saying....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...