Splunk Search

How do I do a chart in splunk whereby I can forecast into the future?

HattrickNZ
Motivator

How do I do a chart in splunk whereby I can forecast into the future?

Hi there appreciate any help here. Coming from an excel perspective and trying to implement some graph I have in excel in splunk as I can see the value of splunk.
Appreciate any help!!

2 Examples graph 1 & 2 based on the below data

Graph1 has 8 known values (lets say Jan to Aug) and 4 unknown values(Sept to Dec). In this instance I have just used a forecast formula in excel to get the values for Sept to Dec and this would be shown in the graph.

Graph2 is the same but I would use a pivot chart in excel and add a trend line to forecast into the future

Date Device # limit #2
1/01/2012 A 1 10 1
1/02/2012 A 2 10 2
1/03/2012 A 3 10 3
1/04/2012 A 4 10 4
1/05/2012 A 5 10 5
1/06/2012 A 6 10 6
1/07/2012 A 7 10 7
1/08/2012 A 8 10 8
1/09/2012 A 9 10

1/10/2012 A 10 10

1/11/2012 A 11 10

1/12/2012 A 12 10

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

Splunk 5.0.* has a new magic command. predict and x11 that may be what you are looking for,

predict: This one is pretty cool - you can use it to predict (estimate bounds) future values of a variable/field
Ex. predict/estimate size of index=_internal 14 days out based on its last 30 days size. (can be very useful for capacity planing)
x11: helps one with accounting for seasonal patterns to understand the actual/real trend of a time series.

example :
index=_internal group="per_index_thruput" series=_internal earliest=-30d
| timechart sum(eval(kb/1024)) span=1d as size
| predict size algorithm=LLP future_timespan=14

see http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Predict
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Aboutpredictiveanalytics
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/X11

bmgilmore
Path Finder

I think they are looking for an equivalent to excel's forecast, I've been looking for this as well, the ability to statistically project current trends into the future. Any ideas?

0 Karma

yannK
Splunk Employee
Splunk Employee

By default the latest time range is now, but you can change it,
example for a search going 4 days in the past to 8 days in the future.

earliest=-4d@d latest=+8d@d | timechart span=1d count by host

The behavior depends of the way your search define the timestamp (timechart or bucket _time ), you may have to define the missing fields if any.

0 Karma

HattrickNZ_2
Engager

wow, nearly posted this question again as I could not find it!!!

Anyhow, thanks yannK, That's the bit I got to my self with
index=X eventtype="Y" earliest=-90d@w1 latest=+90d@w1 | timechart span=1w max(Z) by Device

but the future values are blank, I want to somehow enter them with some forecast formula as in excel as bmgilmore states below

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...