Splunk Search

Need help on predict command usage in graph

kdimaria
Communicator

I have a trend graph that shows some data then its predicting out that data a couple days forward. However, The prediction starts when the normal data starts, when I would rather have the prediction start on the graph when there is no previous data. Basically attaching itself to the previous trendline and adding on with it's prediction. Is there a way to do this?

0 Karma
1 Solution

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

View solution in original post

niketn
Legend

@kdimaria, if your intention is to distinguish prediction chart between current time span and future time span, you can try installing Machine Learning Toolkit app (https://splunkbase.splunk.com/app/2890/) which adds Forecast Chart visualization. As you can see the Current Time Series is highlighted in Red and Future Time Series in Blue, Current Confidence Interval in Orange and Future Confidence Interval in Green.

alt text

Refer to documentation for passing predict command parameters to forecastviz or modvizpredict macro: https://docs.splunk.com/Documentation/MLApp/latest/User/Customvisualizations#Forecast_Chart_.28Forec...

You can also refer to Forecast Time Series documentation on http://docs.splunk.com/Documentation/MLApp/latest/User/ForecastTimeSeries
Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sukisen1981
Champion
timechart span=5min avg(p) as Act |predict Act AS pred  algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act)

==
Assuming Act as actuals & pred as predicted field names

kdimaria
Communicator

@Sukisen1981 , This works but when I eval the predict field, it gets rid of the upper and lower limit possibilities. Is there a way to keep those in the graph as well?

0 Karma

Sukisen1981
Champion

Hi,

Yes, I get what you mean - high(pred) and low(pred) ae missing. However, try this :

timechart span=5min avg(p) as Act |predict Act AS pred algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act) |rename high(pred) AS X|fields _time,Act,X,pred

You will get X plotted as the high limit values.///apply same and rename low(pred) to Y .
Choose X and Y names as something like hmmm maybe - "High / Low Limit"
I use he MLTK app like @niketnilay is saying....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...