x11 command removes the seasonal pattern in your time-based data series so that you can see the real trend in your data. This command has a similar purpose to the trendline command, but it uses the more sophisticated and industry popular X11 method.
The seasonal component of your time series data can be either additive or multiplicative, defined as the two types of seasonality that you can calculate with x11:
add() for additive and
mult() for multiplicative. See About time-series forecasting in the Search Manual.
x11 [<type>] [<period>] (<fieldname>) [AS <newfield>]
- Syntax: <field>
- Description: The name of the field to calculate the seasonal trend.
- Syntax: add() | mult()
- Description: Specify the type of x11 to compute, additive or multiplicative.
- Default: mult()
- Syntax: <int>
- Description: The period of the data relative to the number of data points, expressed as an integer between 5 and 1000. If the period is 7, the command expects the data to be periodic every 7 data points. If you omit this parameter, Splunk software calculates the period automatically. The algorithm does not work if the period is less than 5 and will be too slow if the period is greater than 1000.
- Syntax: <string>
- Description: Specify a field name for the output of the
- Default: None
Example 1: In this example, the type is the default
mult and the period is 15. The field name specified is
index=download | timechart span=1d count(file) as count | x11 mult15(count)
Because span=1d, every data point accounts for 1 day. As a result, the period in this example is 15 days.
You can change the syntax in this example to
... | x11 15(count) because the
mult type is the default type.
Example 2: In this example, the type is
add and the period is 20. The field name specified is
index=download | timechart span=1d count(file) as count | x11 add20(count)
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103