We want to produce correlations between two different (timestamp,value) series. We basically want to plot one value against the other and show the results on a chart.
We can get the data we want in a table like this:
As you can see in the example above, we can have gaps (nulls) in the data, corresponding to timestamps when either one or the other series does not have a recorded value.
Can Splunk fill in those gaps by interpolating the missing values? How?
After doing this we would get a table like this:
where x3_interp and y2_interp are values obtained by doing some interpolation on the x and y series (Spline, linear etc).
The we would apply "| chart v1 by v2" to see the graph.
A native Splunk solution, cross-posted from http://answers.splunk.com/answers/147907/how-to-perform-spectrum-analysis
Here's a run-anywhere example using _internal data coming in every 30s, interpolated to 10s:
index=_internal eps="*" group=per_host_thruput | head 10 | timechart fixedrange=f span=10s avg(ev) as ev | eval value_time = case(isnotnull(ev), _time) | streamstats last(ev) as last_ev last(value_time) as last_time | reverse | streamstats last(ev) as next_ev last(value_time) as next_time | reverse | eval interpolated_ev = last_ev + ((_time - last_time) / (next_time - last_time)) * (next_ev - last_ev)
First line grabs data and builds a timechart with data gaps in it.
Second line prepares lots of data to fill in the gaps: previous value, next value, time of previous value, time of next value
Last line calculates the naïve linearly interpolated value.
_time ev interpolated_ev 2014-07-30 00:55:00 99 2014-07-30 00:55:10 98.000000 2014-07-30 00:55:20 97.000000 2014-07-30 00:55:30 96 2014-07-30 00:55:40 101.000000 2014-07-30 00:55:50 106.000000 2014-07-30 00:56:00 111
I came upon this while searching for interpolation solution myself. After comparing your use case and my own, I come to the following.