Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Predict values by end of current month

rvencu
Path Finder
‎08-24-2016 08:29 AM

Hi, I am trying to predict earnings by end of month (our KPI) based on historical data. I tried this
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings future_timespan=7

What I need is to replace the 7 value of the future_timespan with a dynamic value that calculates the number of days left until end of current month (or current week / year / whatever)

I tried subsearched and eval before the predict command, everything ends with invalid future_timespan value. Is there any solution to this problem?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2016 09:04 AM

This should work

event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]

View solution in original post

Reply
Solved! Jump to solution

tmacraft
Engager
‎12-05-2017 06:47 AM

There is actually another way to do this and to me it is easier to understand, try:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings future_timespan=31 | where _time<=relative_time(now(),"+1mon@mon")

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2016 09:04 AM

This should work

event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]
Reply
Solved! Jump to solution

LionelRubdi
New Member
‎06-27-2017 12:07 AM

Hi,

I am trying to apply the above search for my data but I am getting an error " Error in 'eval'command: The expression is malformed

looks like the "future_timespan=" is not green and is not recogonised for some reason or I am not sure what am I doing wrong.

My search:
index=**** sourcetype=*****
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round(relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎06-27-2017 12:19 AM

Hi, you were missing a "(" between - round((relative_time

index= sourcetype=*
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

LionelRubdi
New Member
‎06-27-2017 04:26 PM

Ahhhh thanks

0 Karma
Reply
Solved! Jump to solution

LionelRubdi
New Member
‎06-27-2017 04:41 PM

now I get a new Error "command="predict", unknown option inc_vol_by_eom=future_timespan=2 "

0 Karma
Reply
Solved! Jump to solution

rvencu
Path Finder
‎08-24-2016 09:53 AM

Yes, very good and very fast!

0 Karma
Reply
Solved! Jump to solution

rvencu
Path Finder
‎08-26-2016 02:01 AM

To continue my quest - I want to add future predictions to current earnings to estimate a month total. I tried to use sum(prediciton(Earnings)) but the result is wild too high because it uses predictions for past days when we have no earnings (weekends) as well. Therefore I think I need to add actual earnings plus forecasts for the future days to get to a more realistic estimation. Is there a way to do that?

0 Karma
Reply
Solved! Jump to solution

rvencu
Path Finder
‎08-27-2016 05:45 AM

I found a solution, but my idea was bad, the answer is even worst than without this idea:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search] as pred| stats sum(eval(if(_time<now(),0,pred))) as future1, sum(Earnings) as past1 | eval total=past1+future1

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...