About predictive analytics with Splunk Enterprise
Predictive analytics can be used in a number of ways. For example:
- It aids in capacity planning by helping you to determine your hardware requirements for virtual environments and forecast energy consumption.
- It enables enhanced root cause analysis that can help detect abnormal patterns in events and prevent security attacks.
- It enables enhanced monitoring of key components which can detect system failures and prevent outages before they occur.
Splunk enables you to use reports and dashboards to monitor activity as it is happening, then drill down into events and do a root-cause analysis to learn why something happened. If there are patterns and correlations to events that you monitor, you can use them to predict future activity. With this knowledge, you can pro-actively send alerts based on thresholds and perform "what-if" analyses to compare various scenarios.
Predictive analytics commands
The Splunk search language includes two forecasting commands: predict and x11.
- The predict command enables you to use different forecasting algorithms to predict future values of single and multi-valued fields.
- The x11 command, which is named after the X11 algorithm, removes seasonal fluctuations in fields to expose the real trend in your underlying data series.
Forecasting algorithms for predict
You can select from the following algorithms with the predict command: LL, LLP, LLT and LLB. Each of these algorithms are variations based on the Kalman filter.
|Algorithm option||Algorithm name||Description|
|LL||Local level||This is a univariate model with no trends and no seasonality. Requires a minimum of 2 data points.|
|LLP||Seasonal local level||This is a univariate model with seasonality. The periodicity of the time series is automatically computed. Requires the minimum number of data points to be twice the period.|
|LLT||Local level trend||This is a univariate model with trend but no seasonality. Requires a minimum of 3 data points.|
|LLB||Bivariate local level||This is a bivariate model with no trends and no seasonality. Requires a minimum of 2 data points.|
For more information, see the predict command topic in the Search Reference Manual.
Additive and multiplicative seasonality in X11
The seasonal component of your time series data can be either additive or multiplicative. In Splunk, this is defined as the two types of seasonality that you can calculate with x11, add() for additive and mult() for multiplicative.
How do you know which type of seasonality to adjust from your data? The best way to describe the difference between an additive and a multiplicative seasonal component is with an example: The annual sales of flowers will peak on and around certain days of the year, including Valentine's Day and Mother's day.
During Valentine's Day, the sale of roses may increase by X dollars every year. This dollar amount is independent of the normal level of the series, and you can add X dollars to your forecasts for Valentine's Day every year, making this time series a candidate for an additive seasonal adjustment. In an additive seasonal adjustment, each value of a time series is adjusted by adding or subtracting a quantity that represents the absolute amount by which that value differs from normal in that season.
Alternatively, in a multiplicative seasonal component, the seasonal effect expresses itself in percentage terms, so the absolute magnitude of the seasonal variations increases as the series grows over time. For example, the number of roses sold during Valentine's Day may increase by 40% or a factor of 1.4. When the sales of roses generally weak, the absolute (dollar) increase in Valentine's Day sales will also be relatively weak ; but the percentage will be constant. And, if the sales of roses are strong, then the absolute (dollar) increase will be proportionately greater. In a multiplicative seasonal adjustment, this pattern is removed by dividing each value of the time series by a quantity that represents the percentage from normal or factor that is typically observed in that season.
When plotted on a chart, these two types of seasonal components will show distinguishing characteristics:
- The additive seasonal series shows steady seasonal fluctuations, regardless of the overall level of the series.
- The multiplicative seasonal series shows varying size of seasonal fluctuations that depend on the overall level of the series.
Identify and group events into transactions
Create and use search macros
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14