Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

StateSpaceForecast holdback and forecast_k for evaluation on hold out set

rfdickerson
New Member
‎01-30-2025 09:18 AM

I am training and evaluating a forecast model using MLTK's StateSpaceForecast. I would like to fit on part of the dataset, and have a held back testing set to evaluate. The trick, though, is that I want the forecaster to forecast out 15 minutes in the future while autoregressively looking at the current feature values. 

For example, take my query that tries to find the TPR, FPR, etc. for exceeding some SLA violation using my holdout set. Currently, it just uses the beginning of the holdout set to predict out 2 hours. 

 

 

    | fit StateSpaceForecast latency_p95_log from latency_p95_log, threadcount_p95, threadcount, total_socket_errors, n_running_procs, time_wait_cpu, HourOfDay, DayOfWeek holdback=2h forecast_k=15m conf_interval=95 into ml_latency_forecast
    | apply ml_latency_forecast forecast_k=2h holdback=2h
    | eval predicted = exp('predicted(latency_p95_log)')
    | eval predicted_low=exp('lower95(predicted(latency_p95_log))'), predicted_high=exp('upper95(predicted(latency_p95_log))')
    | eval predicted_SLA = if(predicted > 1.0, 1, 0)
    | eval true_positive = if(predicted_SLA=1 AND SLA_violation=1, 1, 0)
    | eval false_positive = if(predicted_SLA=1 AND SLA_violation=0, 1, 0)
    | eval true_negative = if(predicted_SLA=0 AND SLA_violation=0, 1, 0)
    | eval false_negative = if(predicted_SLA=0 AND SLA_violation=1, 1, 0)
    | eval holdout = if(isnull('lower95(predicted(latency_p95_log))'), 0, 1)
    | table _time predicted predicted_high predicted_low latency_p95

 

 


Is there any examples someone can help give me for doing a forecast and evaluating the fit on on-seen data during training? 

Splunk MLTK Algorithms on GitHub 

Labels (1)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-01-2025 03:31 PM

Hi @rfdickerson,

The Python source code for Splunk's implementation of StateSpaceForecast is collectively in:

$SPLUNK_HOMEetc/apps/Splunk_ML_Toolkit/bin/algos/StateSpaceForecast.py
$SPLUNK_HOMEetc/apps/Splunk_ML_Toolkit/bin/algos_support/statespace/*

The StateSpaceForecast algorithm is similar to the Splunk predict command.

If you're not managing your own Splunk instance, you can download the MLTK archive from Splunkbase and inspect the files directly.

The holdback and forecast_k parameters function as described. You may want to look at the partial_fit parameter for more control over the window of data used to update your model dynamically before using apply and (eventually) calculating TPR and FPR.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...