compare time forecasts to incoming data

Splunk Search

Hey all,

I am currently trying to achieve the following:

train a Kalman filter with a periodicity i found via Autocorrelation on the last 3 weeks data and make prediction for one week of future data. I do this as follows:

index = cisco_prod 
| timechart span=1h count as logins_hour 
| fit ACF logins_hour k=200 fft=true conf_interval=95 as corr 
| top limit=2 acf(corr),Lag 
| stats max(Lag) as corr_lag 
| map search="search index = cisco_prod | timechart span=1h count as logins_hour | predict \"logins_hour\" as prediction algorithm=LLP holdback=200 future_timespan=368 period=$corr_lag$ upper95=upper95 lower95=lower95"
| `forecastviz(368, 200, "logins_hour", 95)`

But how do I now use this predictions for the coming week, to actually compare them to the incoming data? The thing is, I don't want to always train the Kalman filter with new data because if I feed it with anomalies it will not make correct predictions for the future.

Has anyone an idea?

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...