Splunk Search

Predict values by end of current month

Path Finder

Hi, I am trying to predict earnings by end of month (our KPI) based on historical data. I tried this
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings future_timespan=7

What I need is to replace the 7 value of the future_timespan with a dynamic value that calculates the number of days left until end of current month (or current week / year / whatever)

I tried subsearched and eval before the predict command, everything ends with invalid future_timespan value. Is there any solution to this problem?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This should work

event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]

View solution in original post

Engager

There is actually another way to do this and to me it is easier to understand, try:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings futuretimespan=31 | where _time<=relativetime(now(),"+1mon@mon")

SplunkTrust
SplunkTrust

This should work

event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search]

View solution in original post

New Member

Hi,

I am trying to apply the above search for my data but I am getting an error " Error in 'eval'command: The expression is malformed

looks like the "future_timespan=" is not green and is not recogonised for some reason or I am not sure what am I doing wrong.

My search:
index=**** sourcetype=*****
| dedup incident
| timechart span=1d dc(incident) as dcincident
| predict dc
incident
[| gentimes start=-1
| eval incvolbyeom="futuretimespan=".round(relativetime(now(),"@mon+1mon-1d")-relativetime(now(),"@d"))/86400)
| table incvolby_eom]

0 Karma

Champion

Hi, you were missing a "(" between - round((relative_time

index= sourcetype=*
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]

0 Karma

New Member

Ahhhh thanks

0 Karma

New Member

now I get a new Error "command="predict", unknown option incvolbyeom=futuretimespan=2 "

0 Karma

Path Finder

Yes, very good and very fast!

0 Karma

Path Finder

To continue my quest - I want to add future predictions to current earnings to estimate a month total. I tried to use sum(prediciton(Earnings)) but the result is wild too high because it uses predictions for past days when we have no earnings (weekends) as well. Therefore I think I need to add actual earnings plus forecasts for the future days to get to a more realistic estimation. Is there a way to do that?

0 Karma

Path Finder

I found a solution, but my idea was bad, the answer is even worst than without this idea:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search] as pred| stats sum(eval(if(_time<now(),0,pred))) as future1, sum(Earnings) as past1 | eval total=past1+future1

0 Karma