Hi, I am trying to predict earnings by end of month (our KPI) based on historical data. I tried this
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings future_timespan=7
What I need is to replace the 7 value of the future_timespan with a dynamic value that calculates the number of days left until end of current month (or current week / year / whatever)
I tried subsearched and eval before the predict command, everything ends with invalid future_timespan value. Is there any solution to this problem?
This should work
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]
There is actually another way to do this and to me it is easier to understand, try:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings future_timespan=31 | where _time<=relative_time(now(),"+1mon@mon")
This should work
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]
Hi,
I am trying to apply the above search for my data but I am getting an error " Error in 'eval'command: The expression is malformed
looks like the "future_timespan=" is not green and is not recogonised for some reason or I am not sure what am I doing wrong.
My search:
index=**** sourcetype=*****
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round(relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]
Hi, you were missing a "(" between - round((relative_time
index= sourcetype=*
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]
Ahhhh thanks
now I get a new Error "command="predict", unknown option inc_vol_by_eom=future_timespan=2 "
Yes, very good and very fast!
To continue my quest - I want to add future predictions to current earnings to estimate a month total. I tried to use sum(prediciton(Earnings)) but the result is wild too high because it uses predictions for past days when we have no earnings (weekends) as well. Therefore I think I need to add actual earnings plus forecasts for the future days to get to a more realistic estimation. Is there a way to do that?
I found a solution, but my idea was bad, the answer is even worst than without this idea:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search] as pred| stats sum(eval(if(_time<now(),0,pred))) as future1, sum(Earnings) as past1 | eval total=past1+future1