About time series forecasting
You can forecast time series data in a number of ways. For example:
- Capacity planning to determine hardware requirements for virtual environments and forecast energy consumption
- Forecast earnings and other business metrics
- Enhanced monitoring of key components which can detect system failures and prevent outages before they occur
You can use reports and dashboards to monitor activity as it is happening, then drill down into events and do a root-cause analysis to learn why something happened. If there are patterns and correlations in events that you monitor, you can use them to predict future activity. With this knowledge, you can proactively send alerts based on thresholds and perform "what-if" analyses to compare various scenarios.
Commands for time series forecasting
The Splunk search language includes two forecasting commands: predict and x11.
- The predict command enables you to use different forecasting algorithms to predict future values of single and multivalue fields.
- The x11 command, which is named after the X11 algorithm, removes seasonal fluctuations in fields to expose the real trend in your underlying data series.
You can select from the following algorithms with the
predict command: LL, LLP, LLT, LLB, and LLP5. Each of these algorithms are variations of the Kalman filter.
|Algorithm option||Algorithm name||Description|
|LL||Local level||This is a univariate model with no trends and no seasonality. Requires a minimum of 2 data points.|
|LLP||Seasonal local level||This is a univariate model with seasonality. The periodicity of the time series is automatically computed. Requires the minimum number of data points to be twice the period.|
|LLT||Local level trend||This is a univariate model with trend but no seasonality. Requires a minimum of 3 data points.|
|LLB||Bivariate local level||This is a bivariate model with no trends and no seasonality. Requires a minimum of 2 data points. LLB uses one set of data to make predictions for another. For example, assume it uses dataset Y to make predictions for dataset X. If the holdback=10, the LLB algorithm uses the last 10 data points of Y to make predictions for the last 10 data points of X.|
|LLP5||Combines LLT and LLP models for its prediction.|
For more information, see the "predict command" in the Search Reference.
Forecasting seasonality with the x11 command
The seasonal component of your time-series data is either additive or multiplicative, which is reflected in the two types of seasonality that you can calculate with the x11 command:
add() for additive and
mult() for multiplicative.
How do you know which type of seasonality to adjust from your data? The best way to describe the difference between an additive and a multiplicative seasonal component is with an example: The annual sales of flowers will peak on and around certain days of the year, such as Valentine's Day and Mother's Day.
During Valentine's Day, the sale of roses might increase by X dollars every year. This dollar amount is independent of the normal level of the series, and you can add X dollars to your forecasts for Valentine's Day every year, making this time series a candidate for an additive seasonal adjustment. In an additive seasonal adjustment, each value of a time series is adjusted by adding or subtracting a quantity that represents the absolute amount by which that value differs from normal in that season.
Alternatively, in a multiplicative seasonal component, the seasonal effect expresses itself in percentage terms. The absolute magnitude of the seasonal variations increases as the series grows over time. For example, the number of roses sold during Valentine's Day might increase by 40% or a factor of 1.4. When the sales of roses is generally weak, the absolute (dollar) increase in Valentine's Day sales will also be relatively weak. However, the percentage will be constant. And, if the sales of roses are strong, then the absolute (dollar) increase will be proportionately greater. In a multiplicative seasonal adjustment, this pattern is removed by dividing each value of the time series by a quantity that represents the percentage from normal or divided by a factor that is typically observed in that season.
When plotted on a chart, these two types of seasonal components show distinguishing characteristics:
- The additive seasonal series shows steady seasonal fluctuations, regardless of the overall level of the series.
- The multiplicative seasonal series shows varying size of seasonal fluctuations that depend on the overall level of the series.
For more information, see the "x11 command" in the Search Reference.
About event grouping and correlation
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0