Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk predict command period vs future_timespan?

kdimaria
Communicator
‎09-07-2017 04:47 AM

I am wondering if anyone has an explanation of exactly what period is and what future_timespan is? I already read the document http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Predict which talks about both of the parameters but I am still really confused on what exactly they do and would like for someone to explain them to me in their own words. Thank you!

Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-07-2017 05:08 AM

Period is the data that is crunched in order to determine the prediction.

Lets say i have a single event every day at 1pm with a field that contains a number. The value of that field has decreased by 1 every day for the last 7 days. If i specify a period of 7, the algorithm would see that over the last 7 days, the number has decreased by 1 every day... and therefore is likely to continue decreasing by 1 with very little margin for error in the prediction...

If however the event was up by 10 every day for days 1-3, and down by one every day from days 4-10, and I specify a period of 10... then the algorithm is going to give a wider margin of predictions.

future_timespan is how far into the future to predict results. If you specify a future_timespan of 50 with the previous example, since the data comes in once per day, the predict command would produce 50 days of future predicted data points.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-07-2017 05:08 AM

Period is the data that is crunched in order to determine the prediction.

Lets say i have a single event every day at 1pm with a field that contains a number. The value of that field has decreased by 1 every day for the last 7 days. If i specify a period of 7, the algorithm would see that over the last 7 days, the number has decreased by 1 every day... and therefore is likely to continue decreasing by 1 with very little margin for error in the prediction...

If however the event was up by 10 every day for days 1-3, and down by one every day from days 4-10, and I specify a period of 10... then the algorithm is going to give a wider margin of predictions.

future_timespan is how far into the future to predict results. If you specify a future_timespan of 50 with the previous example, since the data comes in once per day, the predict command would produce 50 days of future predicted data points.

Reply
Solved! Jump to solution

kdimaria
Communicator
‎09-07-2017 05:11 AM

Thank you I think I finally get it now

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎09-07-2017 05:03 AM

@kdimaria, period and future_timespan arguments are different for sure.

In order to improve prediction you can add period argument with data points after which your data pattern repeats. For example if you have a timechart with span=1d (1 day) and your weekly trends are similar i.e. Every Moday your events rise and every Thursday is your Peak, your events start declining from Friday and Sunday is no/minimal traffic. Then you would define 7 as your period.

| timechart span=1d count as Traffic
| predict algorithm=LLP period=7

The future_timespan argument tells predict command how many future buckets to predict based on your time span selected. i.e. if you have set it to 5, and timechart span=1d it will predict upcoming 5 days.

| timechart span=1d count as Traffic
| predict algorithm=LLP period=7 future_timespan=5

Please let us know if this is what you required or something else?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

kdimaria
Communicator
‎09-07-2017 05:12 AM

Thank you! I think I understand now. the period was just very confusing.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...