How do I do a chart in splunk whereby I can forecast into the future?
Hi there appreciate any help here. Coming from an excel perspective and trying to implement some graph I have in excel in splunk as I can see the value of splunk.
Appreciate any help!!
2 Examples graph 1 & 2 based on the below data
Graph1 has 8 known values (lets say Jan to Aug) and 4 unknown values(Sept to Dec). In this instance I have just used a forecast formula in excel to get the values for Sept to Dec and this would be shown in the graph.
Graph2 is the same but I would use a pivot chart in excel and add a trend line to forecast into the future
Date Device # limit #2
1/01/2012 A 1 10 1
1/02/2012 A 2 10 2
1/03/2012 A 3 10 3
1/04/2012 A 4 10 4
1/05/2012 A 5 10 5
1/06/2012 A 6 10 6
1/07/2012 A 7 10 7
1/08/2012 A 8 10 8
1/09/2012 A 9 10
1/10/2012 A 10 10
1/11/2012 A 11 10
1/12/2012 A 12 10
Splunk 5.0.* has a new magic command. predict
and x11
that may be what you are looking for,
predict: This one is pretty cool - you can use it to predict (estimate bounds) future values of a variable/field
Ex. predict/estimate size of index=_internal 14 days out based on its last 30 days size. (can be very useful for capacity planing)
x11: helps one with accounting for seasonal patterns to understand the actual/real trend of a time series.
example :
index=_internal group="per_index_thruput" series=_internal earliest=-30d
| timechart sum(eval(kb/1024)) span=1d as size
| predict size algorithm=LLP future_timespan=14
see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Predict
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Aboutpredictiveanalytics
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/X11
I think they are looking for an equivalent to excel's forecast, I've been looking for this as well, the ability to statistically project current trends into the future. Any ideas?
By default the latest time range is now, but you can change it,
example for a search going 4 days in the past to 8 days in the future.
earliest=-4d@d latest=+8d@d | timechart span=1d count by host
The behavior depends of the way your search define the timestamp (timechart or bucket _time ), you may have to define the missing fields if any.
wow, nearly posted this question again as I could not find it!!!
Anyhow, thanks yannK, That's the bit I got to my self with
index=X eventtype="Y" earliest=-90d@w1 latest=+90d@w1 | timechart span=1w max(Z) by Device
but the future values are blank, I want to somehow enter them with some forecast formula as in excel as bmgilmore states below