How can I display just the prediction (future) in ...

henriq_c · ‎02-20-2019

I'm doing a chart where i want to predict the disk space for the month after and I have this :
.... predict C as "Prediction of C" algorithm=LLP5

(i put a span of 1m of the timechart)

1) I don't know how to do display just the future and not the past of the prediction (_time <= now())
2) And how to predict 1 month later ?
3) don't work with where 😕
4) If I pick in the time picker an anterior date, i want that my chart don't take the 'predict' in count and just display the chart without prediction

Thank you

adonio · ‎02-20-2019

hello there,

many questions in one so lets start:
1. try this search anywhere:

    | gentimes start="01/01/2018:00:00:00" end="12/31/2018:23:59:59" increment=10m
    | eval _time = starttime 
    | eval random_value = random()%10000
    | timechart span=1h min(random_value) as value
    | predict value algorithm=LLP5 period=2
    | search _time > 1546300799

maybe narrow down the time as it can get heavy. you can see in the viz tab that only events after 12/31/2018
also play a Lillie with the integers for span= and period=
2. predicting to the future depends on how far back you are looking and on the period and future_timespan attributes
read here more: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Predict
3. the where worked fine for me, see screenshot, try and substitute the search in the last line of code to where
4. i don't understand the requirement here, maybe open another question or elaborate?

screenshot

hope it helps

How can I display just the prediction (future) in a chart ?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?