Solved: Splunk predict command period vs future_timespan?

kdimaria · ‎09-07-2017

I am wondering if anyone has an explanation of exactly what period is and what future_timespan is? I already read the document http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Predict which talks about both of the parameters but I am still really confused on what exactly they do and would like for someone to explain them to me in their own words. Thank you!

jkat54 · ‎09-07-2017

Period is the data that is crunched in order to determine the prediction.

Lets say i have a single event every day at 1pm with a field that contains a number. The value of that field has decreased by 1 every day for the last 7 days. If i specify a period of 7, the algorithm would see that over the last 7 days, the number has decreased by 1 every day... and therefore is likely to continue decreasing by 1 with very little margin for error in the prediction...

If however the event was up by 10 every day for days 1-3, and down by one every day from days 4-10, and I specify a period of 10... then the algorithm is going to give a wider margin of predictions.

future_timespan is how far into the future to predict results. If you specify a future_timespan of 50 with the previous example, since the data comes in once per day, the predict command would produce 50 days of future predicted data points.

View solution in original post

jkat54 · ‎09-07-2017

Period is the data that is crunched in order to determine the prediction.

Lets say i have a single event every day at 1pm with a field that contains a number. The value of that field has decreased by 1 every day for the last 7 days. If i specify a period of 7, the algorithm would see that over the last 7 days, the number has decreased by 1 every day... and therefore is likely to continue decreasing by 1 with very little margin for error in the prediction...

If however the event was up by 10 every day for days 1-3, and down by one every day from days 4-10, and I specify a period of 10... then the algorithm is going to give a wider margin of predictions.

future_timespan is how far into the future to predict results. If you specify a future_timespan of 50 with the previous example, since the data comes in once per day, the predict command would produce 50 days of future predicted data points.

kdimaria · ‎09-07-2017

Thank you I think I finally get it now

niketn · ‎09-07-2017

@kdimaria, period and future_timespan arguments are different for sure.

In order to improve prediction you can add period argument with data points after which your data pattern repeats. For example if you have a timechart with span=1d (1 day) and your weekly trends are similar i.e. Every Moday your events rise and every Thursday is your Peak, your events start declining from Friday and Sunday is no/minimal traffic. Then you would define 7 as your period.

| timechart span=1d count as Traffic
| predict algorithm=LLP period=7

The future_timespan argument tells predict command how many future buckets to predict based on your time span selected. i.e. if you have set it to 5, and timechart span=1d it will predict upcoming 5 days.

| timechart span=1d count as Traffic
| predict algorithm=LLP period=7 future_timespan=5

Please let us know if this is what you required or something else?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kdimaria · ‎09-07-2017

Thank you! I think I understand now. the period was just very confusing.

Splunk predict command period vs future_timespan?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!