There actually is no easy way, I fear. You'd need to:
But.... which is the best window to compute your trendline upon? 5, 20, 30, 1000 events? That totally depends on the case...
Ok, let's move on...here's my approach, in bullet point (I'll use _time as x axis, y as y axis):
Here's my try.
| gentimes start=01/01/11 end=02/28/11 increment=6h
| eval jf=1
| join jf [
Get a time span and prepare to join the m and b values to all the results:
search <you search and computation of y here>
| autoregress y as prev_y
| autoregress _time as prev_time
| rename y as curr_y
| eval curr_time=_time
| head 1
Head 1 gets the latest event only, which now has data for the 2 points the prediction line will pass through. Now I'll do the math
| eval m=(curr_y - prev_y)/(curr_time - prev_time)
| eval b=(prev_y * curr_time - curr_y * prev_time) / (curr_time - prev_time)
| eval jf=1
| fields + m b jf
]
I now have a single result with three fields only, jf (join field) is just for the join operation.
| eval y= m*starttime + b
| eval _time=starttime
| chart values(y) over _time
Your predicted y value for the future.
There actually is no easy way, I fear. You'd need to:
But.... which is the best window to compute your trendline upon? 5, 20, 30, 1000 events? That totally depends on the case...
Ok, let's move on...here's my approach, in bullet point (I'll use _time as x axis, y as y axis):
Here's my try.
| gentimes start=01/01/11 end=02/28/11 increment=6h
| eval jf=1
| join jf [
Get a time span and prepare to join the m and b values to all the results:
search <you search and computation of y here>
| autoregress y as prev_y
| autoregress _time as prev_time
| rename y as curr_y
| eval curr_time=_time
| head 1
Head 1 gets the latest event only, which now has data for the 2 points the prediction line will pass through. Now I'll do the math
| eval m=(curr_y - prev_y)/(curr_time - prev_time)
| eval b=(prev_y * curr_time - curr_y * prev_time) / (curr_time - prev_time)
| eval jf=1
| fields + m b jf
]
I now have a single result with three fields only, jf (join field) is just for the join operation.
| eval y= m*starttime + b
| eval _time=starttime
| chart values(y) over _time
Your predicted y value for the future.
It felt like secondary school, solving line equations...just funnier. Thanks Lowell, much appreciated!
Wow, that's pretty intense. Looks like this may be a good candidate for a macro; I'd hate to have to retype that several times. 😉 Nice work.