Answers for "project trendlines into future"
https://answers.splunk.com/answers/11390/project-trendlines-into-future.html
The latest answers for the question "project trendlines into future"Answer by Paolo Prigione
https://answers.splunk.com/answering/11437/view.html
<p>There actually is no easy way, I fear. You'd need to:</p>
<ol>
<li>compute the trendline equation to do that (y = m * _time + b) see <a href="http://www.tutorvista.com/content/math/geometry/straightlines/two-point-form.php" rel="nofollow">http://www.tutorvista.com/content/math/geometry/straightlines/two-point-form.php</a></li>
<li>extend the time field into future</li>
<li>compute the new y over time (the easy part...just an eval)</li>
</ol>
<p>But.... which is the best window to compute your trendline upon? 5, 20, 30, 1000 events? That totally depends on the case... </p>
<p>Ok, let's move on...here's my approach, in bullet point (I'll use _time as x axis, y as y axis): </p>
<ol>
<li>You need to compute the best trendline you see fit your data and produce a field "y"</li>
<li>To compute the equation of a line you need 2 (x,y) couples, which you can produce by moving the previous event's y and _time values to the current event. I'll use autoregress and name the two points as (curr_time,curr_y) (prev_time,prev_y)</li>
<li>You do the math and compute slope (m) and y-intercept (b) -> here's your equation!</li>
<li>Now, you said you want the future...so you don't have data for it. You'll have to "gentimes", and then put your slope and intercept into each event. </li>
<li>You compute the predicted value of y</li>
<li>You chart y over time</li>
</ol>
<p>Here's my try.</p>
<pre><code>| gentimes start=01/01/11 end=02/28/11 increment=6h
| eval jf=1
| join jf [
</code></pre>
<p>Get a time span and prepare to join the m and b values to all the results: </p>
<pre><code>search <you search and computation of y here>
| autoregress y as prev_y
| autoregress _time as prev_time
| rename y as curr_y
| eval curr_time=_time
| head 1
</code></pre>
<p>Head 1 gets the latest event only, which now has data for the 2 points the prediction line will pass through. Now I'll do the math</p>
<pre><code>| eval m=(curr_y - prev_y)/(curr_time - prev_time)
| eval b=(prev_y * curr_time - curr_y * prev_time) / (curr_time - prev_time)
| eval jf=1
| fields + m b jf
]
</code></pre>
<p>I now have a single result with three fields only, jf (join field) is just for the join operation. </p>
<pre><code>| eval y= m*starttime + b
| eval _time=starttime
| chart values(y) over _time
</code></pre>
<p>Your predicted y value for the future.</p>Mon, 07 Feb 2011 06:20:22 GMTPaolo Prigione