I'm using predict, and seeing good results, but I would like to clean up my visualization.
What I would like is to see past data and future predicted data with no overlap.
eval predicted=if(isnull(foo), predicted, null()), I am able to show predicted data only where actual data points don't exist, but I still see the upper95 and lower95 overlaid on top of actual data. Trying an equivalent eval for
"lower95(predicted)" doesn't work.
Is there a way I can show only actual data where it exists, and only predicted data (with probability ranges) where it doesn't?
That would work for eliminating those fields totally, but I'd like to see them for the predicted portion.
We need to see you full query to understand what all fields are available. It would be easier then to correlate to your description.
what if you did the same thing for lower and upper that you do for predicted?
|eval upper95=if(isnull(foo), upper95, null())|eval lower95=if(isnull(foo), lower95, null())
`index=xxxxx sourcetype=duo:info_summary earliest=-7d
| timechart span=1h min(telephonycreditsremaining) as credits
| predict future_timespan=168 credits as predicted
| eval predicted=if(isnull(credits), round(predicted, 0), null())`
The fields I'm concerned with are named "upper95(predicted)" and "lower95(predicted)". If I try
| eval predicted=if(isnull(credits), round(predicted, 0), null()), "lower95(predicted)"=if(isnull(credits), "lower95(predicted)", null()), "upper95(predicted)"=if(isnull(credits), "upper95(predicted)", null())
those fields are 0 through the entire graph. If I don't include the quotes, I get an error calling the upper95 function (which isn't a function).
* | timechart count as foo | predict foo AS predicted_foo | eval upper95(predicted_foo)=if(_time<=now(), predicted_foo, 'upper95(predicted_foo)' ) | eval lower95(predicted_foo)=if(_time<=now(), predicted_foo, 'lower95(predicted_foo)' )
Of course change the time frame to something reasonable (last hour, last day, whatever). NOTE that the
upper95(predicted_foo) in the eval has to be inside single quotes, otherwise it'll think it's a function or something, so be careful about that syntax.
That gives, on my data, something like
If you have any problems applying that to your own data, let us know because I'm sure we can help!
Thanks, Rich. That gets me much closer.
The only issue remaining is that I can't seem to get rid of the lower95. Your solution eliminates the upper95 just fine, but lower95 goes to 0. I'm wondering if I stumbled onto a bug...
| eval predicted=if(isnull(credits), round(predicted, 0), null())
| eval upper95(predicted)=if(_time<=now(), null(), 'upper95(predicted)' )
| eval lower95(predicted)=if(_time<=now(), null(), 'lower95(predicted)' )
Surely there's a typo? A special character embedded in there or something?
1) Changing the order of the two items around.
2) Get rid of the lower95 part, copy and paste the upper95 again and manually change the "upper" to "lower" in each spot needed.
Number one could be interesting - will lower work and upper not now? Inquiring minds want to know!
Number two should really settle things though. I'm SURE there's just something goofy going on with some space or something.
1) Swapping the upper/lower lines did not change the result.
2) I had already done this, thinking I had made a typo. Just for completeness, I tried it again, just now. No change.