Hello!
I'm really new to Splunk's Machine Learning Toolkit, so any help would be greatly appreciated. Thank you.
I'm trying to forecast time series for multiple apps in my query. My current query is:
index=... report=1min_rollup apps="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:11:00:00"
| stats sum(COUNT) as sum_count by _time,apps | stats avg(sum_count) as avgCount by _time, apps
| bin _time span=5m
| eval time=_time%3600
| join orig_sourcetype time
[ search index=... report=1min_rollup apps="..." earliest="06/07/2017:11:00:00" latest="06/07/2017:12:00:00"
| stats sum(refCOUNT), as sum_ref_count by _time, apps
| bin _time span=5m
| stats avg(sum_ref_count ) as avgrefCount,
stdev(sum_ref_count ) as stdrefCount by _time, apps
| eval time=_time%3600]
| eval State=case((avgCount <=(avgrefCount+stdrefCount )),"Green",
true(),"Red")
| stats values(apps) by _time, State
| outputlookup eg.csv
This gives me the lookup table eg.csv which looks like:
_time | State | values(apps)
hh:mm:ss| Green | app1 app2 app10
...
Now, I want to forecast the state of the apps on this time series. But since the state is calculated based on the range in which the avgCount falls, I feel instead of just forecasting the state, we must forecast the avgCount, avgrefCount, and stdrefCount and then calculate the state. Do you think this is the way forward? If so, how do I intertwine these forecast timeseries to calculate the state at any given time.
Thank you! Your help is greatly appreciated!
... View more