Comments and answers for "How to integrate the results of multiple forecast time series to forecast another time series?"
https://answers.splunk.com/answers/556129/how-to-integrate-the-results-of-multiple-forecast.html
The latest comments and answers for the question "How to integrate the results of multiple forecast time series to forecast another time series?"Answer by DalJeanis
https://answers.splunk.com/answering/556554/view.html
Okay, lots of interesting things in your code. I believe they are left over from earlier versions.
There will only ever be one record in each combination of `_time` and `apps` in the second `stats` command. Did you want that `bin` command before the second `stats`?
Never mind, this should do the trick... try this ...
index=... report=1min_rollup apps="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:12:00:00"
| stats sum(COUNT) as sum_count, sum(refCOUNT) as sum_ref_count by _time,apps
| bin _time span=5m
| stats avg(sum_count) as avgCount, avg(sum_ref_count ) as avgrefCount,
stdev(sum_ref_count ) as stdrefCount by _time, apps
| eval time=_time%3600
| stats latest(_time) as _time, latest(avgCount) as avgCount,
earliest(avgrefCount) as avgrefCount, earliest(stdrefCount) as stdrefCount
by time, apps
| eval State=case((avgCount <=(avgrefCount+stdrefCount )),"Green", true(),"Red")
| stats values(apps) by _time, State
| outputlookup eg.csv
----------
Assumptions - (1) the earlier hour is the reference, rather than the later hour as in your code. (2) there are no other search differences in the stuff you left out. (3) COUNT and refCOUNT are both actual fields, rather than refCOUNT being a rename that you didn't show us.
On the other hand, if there is no such field, you can do something like this..
index=... report=1min_rollup apps="..." earliest="06/07/2017:10:00:00" latest="06/07/2017:12:00:00"
| addinfo
| eval info_mid_time = (info_max_time + info_min_time)/2
| eval refCOUNT=if(_time>=info_mid_time,COUNT,null())
| eval COUNT=if(_time>=info_mid_time,null(),COUNT)
| stats sum(COUNT) as sum_count, sum(refCOUNT) as sum_ref_count by _time,apps
| bin _time span=5m
| stats avg(sum_count) as avgCount, avg(sum_ref_count ) as avgrefCount,
stdev(sum_ref_count ) as stdrefCount by _time, apps
| eval time=_time%3600
| stats latest(_time) as _time, latest(avgCount) as avgCount,
earliest(avgrefCount) as avgrefCount, earliest(stdrefCount) as stdrefCount
by time, apps
| eval State=case((avgCount <=(avgrefCount+stdrefCount )),"Green", true(),"Red")
| stats values(apps) by _time, State
| outputlookup eg.csv
If you want your reference to be multiple hours, then you can just change the earlier bound of the search, and instead of calculating `info_mid_time`, just use `info_max_time -3600`.Wed, 19 Jul 2017 00:58:11 GMTDalJeanis