Why is the predict command producing unexpected re...

kishorksudha · ‎06-30-2016

I have volumes that are ingested into Splunk for the past 6 months
Need to predict the volumes for the following period

-1 month
- 15 days
- 7 days
- 1 day
- 1 hour

I tried using the timechart with varying span (1h / 1d / 7d / 1w / 15d / 1mon) and the predict command.
The volumes were accurate enough for monthly prediction; but for weekly, daily, and hourly predictions, the values varied too much and the values were totally wrong.

for ex. I don't have any volumes at 00, 01, 02, and 03 hour on any particular day, but the predicted volume using the search:

index ...... | timechart span=1h Actual | predict Actual algorithm=LLP5

shows values at these hours. Not sure what I am doing wrong here

Can someone help me on this?

Richfez · ‎07-01-2016

My guess is that it's guessing the periods of the "seasonality" wrong. I'm no expert so I'm just guessing, but if you run it for the past week and are looking at an hour-by-hour, maybe adding period=7 may help? Check the predict docs for how to use it. Play around a bit, let us know what you find!

kishorksudha · ‎07-02-2016

Thanks for the response,
I have tried using "period=7" before posting; it is not able to get the lows which is on saturday / sundays;

for ex, if the vols on Sat / Sun is as low as 10 and for the rest of the week it hovers around 200 on a hourly basis at peak period.
the predicted volumes show around 150 on Sat / Sun also.

Tried experimenting with LL LLP5 LLP LLT also , not successfull at getting one algorithm which fits all these

Thanks
Kishor

Why is the predict command producing unexpected results with my current timechart search?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...