Solved: Prediction on disk transfer / sec

singh3and12 · ‎05-19-2019

Hi ,

I have used following query for predicting disk transfer of particular host, here we are using LLP algorithm in predict command so, under visualization tab the two confidence interval along with the predicted value is reflecting, for future 10 days. i just wanted to show only the predicted value on the dashboard. while we hover over. i did use the supress command but somehow it dint work. Any help would be appreciated.

below is query,

index="acn_infrastructure_tier3_idx" metric_label="PhysicalDisk : Disk Transfers/sec Alert" source_host=AUSYDSPLUNK6 earliest=-15d |timechart span=5min avg(metric_value)
as "Disk Transfer/sec" |predict "Disk Transfer/sec" AS "Predicted value"
algorithm=LLP future_timespan=2880 |sort _time desc

DavidHourani · ‎05-20-2019

Hi @singh3and12,

If you want to get rid of the upper and lower intervals in your predict you simply have to get rid of the lower and upper fields like this :

index="acn_infrastructure_tier3_idx" metric_label="PhysicalDisk : Disk Transfers/sec Alert" source_host=AUSYDSPLUNK6 earliest=-15d |timechart span=5min avg(metric_value) 
as "DTs" |predict "DTs" AS "DTsPredicted" 
algorithm=LLP future_timespan=2880 |sort _time desc
| fields - lower95(DTsPredicted) upper95(DTsPredicted)

Let me know how that works out for you!

Cheers,
David

View solution in original post

singh3and12 · ‎05-21-2019

Hi David,

Thanks, it worked for me.... I am able to remove the upper n lower fields from the graph.

DavidHourani · ‎05-21-2019

most welcome @singh3and12 !

DavidHourani · ‎05-20-2019

Hi @singh3and12,

If you want to get rid of the upper and lower intervals in your predict you simply have to get rid of the lower and upper fields like this :

index="acn_infrastructure_tier3_idx" metric_label="PhysicalDisk : Disk Transfers/sec Alert" source_host=AUSYDSPLUNK6 earliest=-15d |timechart span=5min avg(metric_value) 
as "DTs" |predict "DTs" AS "DTsPredicted" 
algorithm=LLP future_timespan=2880 |sort _time desc
| fields - lower95(DTsPredicted) upper95(DTsPredicted)

Let me know how that works out for you!

Cheers,
David

singh3and12 · ‎05-20-2019

it dint work out... still the same... i did try to change it and run but getting the same result

koshyk · ‎05-20-2019

when i use above query, i get ONLy the predicted_value in my dashboard. Is that what you were looking for?

singh3and12 · ‎05-20-2019

yes i was looking for predicted value and the present value(the current real time along) in the dashboard. but when i run it after using where clause.. and hover over it does reflect the lower n upper values .. also

koshyk · ‎05-20-2019

ah.sorry. I misunderstood. I thought you just need the predicted value ONLY.

Normally, the current value is shown with different colour and predicted_value with another colour. I'm not sure a way to set focus on mouse drag. May be experts in UI would help on that.

singh3and12 · ‎05-20-2019

for me.. all are coming in smae color only it gets differentiated when i hover over the graph

koshyk · ‎05-20-2019

which version of Splunk you using? Mine comes with blue colour (default) for old values and yellow for predicted values

singh3and12 · ‎05-21-2019

we are using 7.1 version.

singh3and12 · ‎05-20-2019

is there any other way to achieve it .. would be helpful.

koshyk · ‎05-20-2019

Please try

index="acn_infrastructure_tier3_idx" metric_label="PhysicalDisk : Disk Transfers/sec Alert" source_host=AUSYDSPLUNK6 earliest=-15d 
|timechart span=5min avg(metric_value)  as disk_transfer_sec
|predict disk_transfer_sec AS predicted_value  algorithm=LLP future_timespan=2880 
| where _time > now()

..

Prediction on disk transfer / sec

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk