Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- project trendlines into future

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

ddholstadz

Explorer

02-04-2011
05:25 PM

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Paolo_Prigione

Builder

02-06-2011
10:20 PM

There actually is no easy way, I fear. You'd need to:

- compute the trendline equation to do that (y = m * _time + b) see http://www.tutorvista.com/content/math/geometry/straightlines/two-point-form.php
- extend the time field into future
- compute the new y over time (the easy part...just an eval)

But.... which is the best window to compute your trendline upon? 5, 20, 30, 1000 events? That totally depends on the case...

Ok, let's move on...here's my approach, in bullet point (I'll use _time as x axis, y as y axis):

- You need to compute the best trendline you see fit your data and produce a field "y"
- To compute the equation of a line you need 2 (x,y) couples, which you can produce by moving the previous event's y and _time values to the current event. I'll use autoregress and name the two points as (curr_time,curr_y) (prev_time,prev_y)
- You do the math and compute slope (m) and y-intercept (b) -> here's your equation!
- Now, you said you want the future...so you don't have data for it. You'll have to "gentimes", and then put your slope and intercept into each event.
- You compute the predicted value of y
- You chart y over time

Here's my try.

```
| gentimes start=01/01/11 end=02/28/11 increment=6h
| eval jf=1
| join jf [
```

Get a time span and prepare to join the m and b values to all the results:

```
search <you search and computation of y here>
| autoregress y as prev_y
| autoregress _time as prev_time
| rename y as curr_y
| eval curr_time=_time
| head 1
```

Head 1 gets the latest event only, which now has data for the 2 points the prediction line will pass through. Now I'll do the math

```
| eval m=(curr_y - prev_y)/(curr_time - prev_time)
| eval b=(prev_y * curr_time - curr_y * prev_time) / (curr_time - prev_time)
| eval jf=1
| fields + m b jf
]
```

I now have a single result with three fields only, jf (join field) is just for the join operation.

```
| eval y= m*starttime + b
| eval _time=starttime
| chart values(y) over _time
```

Your predicted y value for the future.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Paolo_Prigione

Builder

02-06-2011
10:20 PM

There actually is no easy way, I fear. You'd need to:

- compute the trendline equation to do that (y = m * _time + b) see http://www.tutorvista.com/content/math/geometry/straightlines/two-point-form.php
- extend the time field into future
- compute the new y over time (the easy part...just an eval)

But.... which is the best window to compute your trendline upon? 5, 20, 30, 1000 events? That totally depends on the case...

Ok, let's move on...here's my approach, in bullet point (I'll use _time as x axis, y as y axis):

- You need to compute the best trendline you see fit your data and produce a field "y"
- To compute the equation of a line you need 2 (x,y) couples, which you can produce by moving the previous event's y and _time values to the current event. I'll use autoregress and name the two points as (curr_time,curr_y) (prev_time,prev_y)
- You do the math and compute slope (m) and y-intercept (b) -> here's your equation!
- Now, you said you want the future...so you don't have data for it. You'll have to "gentimes", and then put your slope and intercept into each event.
- You compute the predicted value of y
- You chart y over time

Here's my try.

```
| gentimes start=01/01/11 end=02/28/11 increment=6h
| eval jf=1
| join jf [
```

Get a time span and prepare to join the m and b values to all the results:

```
search <you search and computation of y here>
| autoregress y as prev_y
| autoregress _time as prev_time
| rename y as curr_y
| eval curr_time=_time
| head 1
```

Head 1 gets the latest event only, which now has data for the 2 points the prediction line will pass through. Now I'll do the math

```
| eval m=(curr_y - prev_y)/(curr_time - prev_time)
| eval b=(prev_y * curr_time - curr_y * prev_time) / (curr_time - prev_time)
| eval jf=1
| fields + m b jf
]
```

I now have a single result with three fields only, jf (join field) is just for the join operation.

```
| eval y= m*starttime + b
| eval _time=starttime
| chart values(y) over _time
```

Your predicted y value for the future.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Paolo_Prigione

Builder

02-07-2011
10:09 PM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Lowell

Super Champion

02-07-2011
06:09 PM

Get Updates on the Splunk Community!

March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...