Splunk Search

splunk predict period limit 2000 ??

wt0217
New Member

Dear All expert ~

we have some data that every 5 minutes generated. 

and we want to predict it , we need to use the season local level algorithm.

cause our data period is 1 week.

therefore ,  12 points in one hour , 288 points in one day , 2016 points in 1 week

 

when  I try to predict it , some error occur ...

1.png

 

========================================================================

my source code..

index=traffic TP13G


|eval Timestamp = strftime(_time,"%Y/%m/%d %H:%M:%S")
|table _time Timestamp Source ip Port Description BW Incoming Outgoing
| eval total=Incoming+Outgoing

 

|timechart span=5m limit=0 avg(total) as total by equipment

| fields _time TP13G
| timechart span=5m values(TP13G) as CEN_TP13G
| predict "CEN_TP13G" as CEN_TP13G_prediction algorithm=LLP holdback=0 future_timespan=2016 period=2016 upper95=upper95 lower95=lower95
| eval isOutlier = if(CEN_TP13G_prediction!="" AND 'CEN_TP13G_prediction' != "" AND ('CEN_TP13G_prediction' < 'lower95(CEN_TP13G_prediction)' OR 'CEN_TP13G_prediction' > 'upper95(CEN_TP13G_prediction)'), "Outlier", "0")
| eval check=strftime(_time,"%Y/%m/%d %H:%M:%S")
| eval check=strptime(check,"%Y/%m/%d %H:%M:%S")
| where check > now()-604800
| fields - check
| rename lower95(CEN_TP13G_prediction) as predict_low
| rename upper95(CEN_TP13G_prediction) as predict_high
| fields + _time CEN_TP13G_prediction , CEN_TP13G isOutlier
| eval CEN_TP13G_prediction=round(CEN_TP13G_prediction,3)

 

==========================================================================

is any way to modify the period 2000 to 2016 ??

thanks for help !!!!!

Will Tseng

Labels (1)
Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!