How do you make a multiple cumulative time series?
https://answers.splunk.com/answers/687346/how-do-you-make-a-multiple-cumulative-time-series.html
I can make mulitple summed time series.
source="splunk-source"
| timechart sum(figure) as figure by category
I can make a single cumulative summed time series.
source="splunk-source"
| timechart sum(figure) as figure
| streamstats sum(figure) as cumulative_figure
| timechart last(cumulative_figure)
But I can't make multiple cumulative summed time series.
I would appreciate some help with that.splunk-enterprisecumulativetime-seriesmulti-seriesThu, 13 Sep 2018 21:38:01 GMTisaacsandersUsing Timewrap to compare yesterday to today per hour
https://answers.splunk.com/answers/609946/using-timewrap-to-compare-yesterday-to-today-per-h.html
I have the following search as I'm trying to compare yesterday's count to today's count per hour and I am seeing events per hour for latest_day, but no events per hour for today
index=foo
| timechart count span=1h
| timewrap 1d
Is the fact that I have the span set to 1h and timewrap set to 1d an issue?
Here is what I see:
![alt text][1]
Thx
[1]: /storage/temp/226693-graph.jpgsplunk-enterprisecomparisontimewraptime-seriesWed, 10 Jan 2018 17:28:54 GMTjwalzerpittHow to forecast multiple time series from one search ?
https://answers.splunk.com/answers/556134/how-to-forecast-multiple-time-series-from-one-sear.html
Hello!
I'm really new to Splunk's Machine Learning Toolkit, so any help would be greatly appreciated. Thank you.
I'm trying to forecast time series for multiple apps in my query. My current query is:
<code> index=... report=1min_rollup app="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:11:00:00" | stats sum(COUNT) as sum_count by _time,app | stats avg(sum_count) as avgCount by _time, app | bin _time span=5m | eval time=_time%3600 stats values(avgCount ) by _time, State | outputlookup eg.csv <code>
This gives me the lookup table eg.csv which looks like:
_time |app| avgCount
...
Now, I want to forecast the avgCount of all the apps on seperate time series. How can I generate multiple forecasted time series (one forecasted time series per app) from the search that I do have right now???
Thank you! Your help is greatly appreciated!
</code></code>splunk-enterprisemultiplesearchtime-seriesforecastTue, 18 Jul 2017 20:52:35 GMTEvaRexHow to integrate the results of multiple forecast time series to forecast another time series?
https://answers.splunk.com/answers/556129/how-to-integrate-the-results-of-multiple-forecast.html
Hello!
I'm really new to Splunk's Machine Learning Toolkit, so any help would be greatly appreciated. Thank you.
I'm trying to forecast time series for multiple apps in my query. My current query is:
<code>index=... report=1min_rollup apps="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:11:00:00"
| stats sum(COUNT) as sum_count by _time,apps | stats avg(sum_count) as avgCount by _time, apps
| bin _time span=5m
| eval time=_time%3600
| join orig_sourcetype time
[ search index=... report=1min_rollup apps="..." earliest="06/07/2017:11:00:00" latest="06/07/2017:12:00:00"
| stats sum(refCOUNT), as sum_ref_count by _time, apps
| bin _time span=5m
| stats avg(sum_ref_count ) as avgrefCount,
stdev(sum_ref_count ) as stdrefCount by _time, apps
| eval time=_time%3600]
| eval State=case((avgCount <=(avgrefCount+stdrefCount )),"Green",
true(),"Red")
| stats values(apps) by _time, State
| outputlookup eg.csv</code>
This gives me the lookup table eg.csv which looks like:
_time | State | values(apps)
hh:mm:ss| Green | app1 app2 app10
...
Now, I want to forecast the state of the apps on this time series. But since the state is calculated based on the range in which the avgCount falls, I feel instead of just forecasting the state, we must forecast the avgCount, avgrefCount, and stdrefCount and then calculate the state. Do you think this is the way forward? If so, how do I intertwine these forecast timeseries to calculate the state at any given time.
Thank you! Your help is greatly appreciated!splunk-enterprisetime-seriesforecastingTue, 18 Jul 2017 20:41:02 GMTEvaRexMulti-series Mode with multiple events in one series
https://answers.splunk.com/answers/527468/multi-series-mode-with-multiple-events-in-one-seri.html
Hi,
I have 3 events:
- Starts
- Transitions
- Errors
I also have 3 versions:
- 1
- 2
- 3
Each version will contain the events.
I want to be able to use the multi series mode in stacked mode so that I can see the timechart of the events for each version individually in one series.
My current problem is that when I try something like "| timechart c(starts), c(transitions) by version" the multi series mode splits it via each version and each event. So I get stuck with loads of series as each one is considered an individual.
Is there a way to group the events and split it via the version? In one series for a version, I want to be able to see all the events over time. So rather then seeing 9 series, I want to see 3.
Please let me know if you have any more questions.
Thanks!splunk-cloudmulti-line-eventtime-seriesmulti-seriesWed, 10 May 2017 10:34:43 GMTneleislahow to detect the patterns in time series?
https://answers.splunk.com/answers/487838/how-to-detect-the-patterns-in-time-series.html
i want to detect the patterns in time seriessplunktime-seriesMon, 09 Jan 2017 08:02:44 GMTheshamzaidTotalize a Rate Over Time
https://answers.splunk.com/answers/261503/totalize-a-rate-over-time.html
I have data coming in from a sensor that comes in the format unit/unit time, where I have a field value pair for the rate recorded and several field value pairs describing the time of the event. The rate is not recorded at a fixed interval in time.
If I want to use this rate to estimate total units over a specific time period, how can I accomplish that? Put another way, I want to be able to sum under a rate curve. I plotted a time series plot like so:
sensor | timechart span=5m avg(Value)
Thanks!ratetime-seriesmanufacturingWed, 01 Jul 2015 21:44:23 GMTErikaEHow to make transactions that keep groupings in chronological order
https://answers.splunk.com/answers/242464/how-to-make-transactions-that-keep-groupings-in-ch.html
I am working with time-series data, and I want to groups events based on the same values in three fields: field1, field2, and field3. All events are timestamped.
I want to group the events into transactions where field1, field2, and field3 are the same and all of the events are in chronological order. I don't want events that occur out of chronoglogical order to be in the same transaction. Also, there is no way to know a maximum amount of time between any of the events.
For example, imagine the event sequence looks like the following if you put it into a table.
Time | field1 | field2 | field3
0 | a | b | c
1 | a | b | c
2 | a | b | c
3 | a | b | z
4 | a | b | y
5 | a | b | c
6 | a | b | c
The desired transaction behavior I am trying to achieve would turn the events above into the following transactions
Transaction | Duration | field1 | field2 | field3
1 | 2 - 0 | a | b | c
2 | 3 - 3 | a | b | z
3 | 4 - 4 | a | b | y
4 | 6 - 5 | a | b | ctransactionstime-seriesMon, 08 Jun 2015 14:19:07 GMTrjthibod