Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About predictive analytics with Splunk Enterprise

Predictive analytics can be used in a number of ways. For example:

  • It aids in capacity planning by helping you to determine your hardware requirements for virtual environments and forecast energy consumption.
  • It enables enhanced root cause analysis that can help detect abnormal patterns in events and prevent security attacks.
  • It enables enhanced monitoring of key components which can detect system failures and prevent outages before they occur.

Splunk enables you to use reports and dashboards to monitor activity as it is happening, then drill down into events and do a root-cause analysis to learn why something happened. If there are patterns and correlations to events that you monitor, you can use them to predict future activity. With this knowledge, you can pro-actively send alerts based on thresholds and perform "what-if" analyses to compare various scenarios.

Predictive analytics commands

The Splunk search language includes two forecasting commands: predict and x11.

  • The predict command enables you to use different forecasting algorithms to predict future values of single and multi-valued fields.
  • The x11 command, which is named after the X11 algorithm, removes seasonal fluctuations in fields to expose the real trend in your underlying data series.

Forecasting algorithms for predict

You can select from the following algorithms with the predict command: LL, LLP, LLT and LLB. Each of these algorithms are variations based on the Kalman filter.

Algorithm option Algorithm name Description
LL Local level This is a univariate model with no trends and no seasonality. Requires a minimum of 2 data points.
LLP Seasonal local level This is a univariate model with seasonality. The periodicity of the time series is automatically computed. Requires the minimum number of data points to be twice the period.
LLT Local level trend This is a univariate model with trend but no seasonality. Requires a minimum of 3 data points.
LLB Bivariate local level This is a bivariate model with no trends and no seasonality. Requires a minimum of 2 data points.

For more information, see the predict command topic in the Search Reference Manual.

Additive and multiplicative seasonality in X11

The seasonal component of your time series data can be either additive or multiplicative. In Splunk, this is defined as the two types of seasonality that you can calculate with x11, add() for additive and mult() for multiplicative.

How do you know which type of seasonality to adjust from your data? The best way to describe the difference between an additive and a multiplicative seasonal component is with an example: The annual sales of flowers will peak on and around certain days of the year, including Valentine's Day and Mother's day.

During Valentine's Day, the sale of roses may increase by X dollars every year. This dollar amount is independent of the normal level of the series, and you can add X dollars to your forecasts for Valentine's Day every year, making this time series a candidate for an additive seasonal adjustment. In an additive seasonal adjustment, each value of a time series is adjusted by adding or subtracting a quantity that represents the absolute amount by which that value differs from normal in that season.

Alternatively, in a multiplicative seasonal component, the seasonal effect expresses itself in percentage terms, so the absolute magnitude of the seasonal variations increases as the series grows over time. For example, the number of roses sold during Valentine's Day may increase by 40% or a factor of 1.4. When the sales of roses generally weak, the absolute (dollar) increase in Valentine's Day sales will also be relatively weak ; but the percentage will be constant. And, if the sales of roses are strong, then the absolute (dollar) increase will be proportionately greater. In a multiplicative seasonal adjustment, this pattern is removed by dividing each value of the time series by a quantity that represents the percentage from normal or factor that is typically observed in that season.

When plotted on a chart, these two types of seasonal components will show distinguishing characteristics:

  • The additive seasonal series shows steady seasonal fluctuations, regardless of the overall level of the series.
  • The multiplicative seasonal series shows varying size of seasonal fluctuations that depend on the overall level of the series.
Last modified on 08 August, 2014
Manage Splunk Enterprise jobs from the OS
Create and use search macros

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters