Splunk Search

variable to control the value of `future_timespan` in the predict function?

HattrickNZ
Motivator

Is there a way I can use a variable to control the value of future_timespan in the predict function?

I have tried this approach:
timechart span=d max(kpi1) as kpi1| eval x =808 |
predict kpi1 as kpi1 future_timespan=x holdback=1 |

So what I am thinkisg is there would be some input type that would control the variable for future_timespan. Any idea if this can be achieved?

0 Karma
1 Solution

gwobben
Communicator

Why not use a token directly?

timechart span=d max(kpi1) as kpi1 | predict kpi1 as kpi1 future_timespan=$your_timespan$ holdback=1

Just make a text input with the token name your_timespan and you should be good to go...

View solution in original post

0 Karma

gwobben
Communicator

Why not use a token directly?

timechart span=d max(kpi1) as kpi1 | predict kpi1 as kpi1 future_timespan=$your_timespan$ holdback=1

Just make a text input with the token name your_timespan and you should be good to go...

0 Karma

HattrickNZ
Motivator

ye, maybe your right. tks

0 Karma

rvencu
Path Finder

Hi, this is still good for manual control. What about predicting earnings to end of current month based on previous values? Everyday the end of current month is a day closer. I tried to use a formula and a subsearch but everytime I get errors that future_timespan=xxx is invalid

0 Karma

gwobben
Communicator

Sure you can, though it's not pretty, and not very easy. I've got 2 examples, please note that these examples are based on 1h timespans (!)

(1) The hard but exact way (calculate the time until the end of the month, divide it by the span, and then use the calculated value as the future_timespan)

| noop | stats count | eval end_of_month = relative_time(now(), "@mon+1mon") | eval now = now() | eval difference_seconds = end_of_month - now | eval difference_hours = difference_seconds / 3600 | eval difference = round(difference_hours, 0)
| map search="search index=_internal | timechart span=1h count | predict count future_timespan=$difference$"
| table _time *

(2) The brute force way (predict too much, remove anything you don't need)

index=_internal | timechart span=1h count | predict count future_timespan=744 | eval end_of_month = relative_time(now(), "@mon+1mon") | where _time<=end_of_month | fields - end_of_month

0 Karma

rvencu
Path Finder
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...