Splunk Search
Highlighted

Predict: show past events and future predictions

SplunkTrust
SplunkTrust

I'm using predict, and seeing good results, but I would like to clean up my visualization.

What I would like is to see past data and future predicted data with no overlap.

Using eval predicted=if(isnull(foo), predicted, null()), I am able to show predicted data only where actual data points don't exist, but I still see the upper95 and lower95 overlaid on top of actual data. Trying an equivalent eval for "lower95(predicted)" doesn't work.

Is there a way I can show only actual data where it exists, and only predicted data (with probability ranges) where it doesn't?

0 Karma
Highlighted

Re: Predict: show past events and future predictions

Super Champion

can you just do a |fields - lower95 - upper96 or am I misunderstanding something else?

0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

That would work for eliminating those fields totally, but I'd like to see them for the predicted portion.

0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

We need to see you full query to understand what all fields are available. It would be easier then to correlate to your description.

0 Karma
Highlighted

Re: Predict: show past events and future predictions

Super Champion

what if you did the same thing for lower and upper that you do for predicted?

|eval upper95=if(isnull(foo), upper95, null())|eval lower95=if(isnull(foo), lower95, null())
0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

`index=xxxxx sourcetype=duo:info_summary earliest=-7d

| timechart span=1h min(telephonycreditsremaining) as credits

| predict future_timespan=168 credits as predicted

| eval predicted=if(isnull(credits), round(predicted, 0), null())`

The fields I'm concerned with are named "upper95(predicted)" and "lower95(predicted)". If I try

| eval predicted=if(isnull(credits), round(predicted, 0), null()), "lower95(predicted)"=if(isnull(credits), "lower95(predicted)", null()), "upper95(predicted)"=if(isnull(credits), "upper95(predicted)", null())

those fields are 0 through the entire graph. If I don't include the quotes, I get an error calling the upper95 function (which isn't a function).

0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

Run anywhere:

* 
| timechart count as foo 
| predict foo AS predicted_foo 
| eval upper95(predicted_foo)=if(_time<=now(), predicted_foo, 'upper95(predicted_foo)' )
| eval lower95(predicted_foo)=if(_time<=now(), predicted_foo, 'lower95(predicted_foo)' )

Of course change the time frame to something reasonable (last hour, last day, whatever). NOTE that the upper95(predicted_foo) in the eval has to be inside single quotes, otherwise it'll think it's a function or something, so be careful about that syntax.

That gives, on my data, something like
Predictions only

If you have any problems applying that to your own data, let us know because I'm sure we can help!

Happy Splunking!

Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

Thanks, Rich. That gets me much closer.

The only issue remaining is that I can't seem to get rid of the lower95. Your solution eliminates the upper95 just fine, but lower95 goes to 0. I'm wondering if I stumbled onto a bug...

| eval predicted=if(isnull(credits), round(predicted, 0), null())
| eval upper95(predicted)=if(_time<=now(), null(), 'upper95(predicted)' )
| eval lower95(predicted)=if(_time<=now(), null(), 'lower95(predicted)' )

prediction with zeroed lower95

0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

That's interesting.

Surely there's a typo? A special character embedded in there or something?

Try
1) Changing the order of the two items around.
2) Get rid of the lower95 part, copy and paste the upper95 again and manually change the "upper" to "lower" in each spot needed.

Number one could be interesting - will lower work and upper not now? Inquiring minds want to know!
Number two should really settle things though. I'm SURE there's just something goofy going on with some space or something.

0 Karma
Highlighted

Re: Predict: show past events and future predictions

SplunkTrust
SplunkTrust

Good ideas.

1) Swapping the upper/lower lines did not change the result.
2) I had already done this, thinking I had made a typo. Just for completeness, I tried it again, just now. No change.

0 Karma