Splunk Search

How do I make a predict function more aggressive?

HattrickNZ
Motivator

How do I make a predict function more aggressive?

Below is an example of my predict example, search and graph:
... | predict Total as predict future_timespan=12 holdback=0 | fields - upper* lower*

pic of graph with predict function used

It is something I probably need to understand more of, and I am possibly entering the topic of polynomial or exponential types of growth. And maybe this is the case and the answer lies outside of predict.

Appreciate any advice/pointers to further reading/explanations on this.


Some useful questions i have been reading up on this:
how-to-create-a-search-to-predict-license-violation
prediction-function-algorithms-questions
predict-95-confidence-interval - good at explaining some basics
Predict Documentation

Note: I could use the upperX values, which would be more arressive(give me higher future values) but again I don't think this will be aggressive enough. maybe I need to look at the forecast option?

tks

0 Karma
1 Solution

cmerriman
Super Champion

if you try ARIMA, maybe try something like this:

| fit ARIMA _time Total order=0-2-7 forecast_k=12

https://docs.splunk.com/Documentation/MLApp/3.1.0/User/Algorithms#Time_Series_Analysis
you'll need the MLTK if you don't already have it.
https://splunkbase.splunk.com/app/2890/

View solution in original post

cmerriman
Super Champion

if you try ARIMA, maybe try something like this:

| fit ARIMA _time Total order=0-2-7 forecast_k=12

https://docs.splunk.com/Documentation/MLApp/3.1.0/User/Algorithms#Time_Series_Analysis
you'll need the MLTK if you don't already have it.
https://splunkbase.splunk.com/app/2890/

HattrickNZ
Motivator

An idea of what I got when trying the following

... | fit ARIMA Total order=0-2-7 forecast_k=12
Error in 'fit' command: Error while fitting "ARIMA" model: The computed initial MA coefficients are not invertible. You should induce invertibility by choosing a different model order.

... |fit ARIMA Total order=0-2-0 forecast_k=12
Error in 'fit' command: Error while fitting "ARIMA" model: operands could not be broadcast together with shapes (88,) (0,) (88,)

... | fit ARIMA _time Total order=0-2-0 forecast_k=12

... | fit ARIMA _time Total order=3-1-1 forecast_k=12
I could get this to display something in the graph without errors, not sure of what is doing, but that is more reading up for me to do.

In the meantime could you try and briefly relate the 3 values order needs to my data/graph.
order needs three values:

Number of autoregressive (AR) parameters
Number of differencing operations (D)
Number of moving average (MA) Parameters

0 Karma

cmerriman
Super Champion

Hopefully i explain this right.

so the AR parameter uses past values for the time series. the p value assigned is how many holdback orders it'll use.
the D parameter simply subtracts the current and previous values together d number of times to basically make the time series stationary
the MA parameter represents is basically a moving average to account for error, the value assigned determines how many terms to include.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...