x11
Description
The x11
command removes the seasonal pattern in your time-based data series so that you can see the real trend in your data. This command has a similar purpose to the trendline command, but it uses the more sophisticated and industry popular X11 method.
The seasonal component of your time series data can be either additive or multiplicative, defined as the two types of seasonality that you can calculate with x11: add()
for additive and mult()
for multiplicative. See About time-series forecasting in the Search Manual.
Syntax
x11 [<type>] [<period>] (<fieldname>) [AS <newfield>]
Required arguments
- <fieldname>
- Syntax: <field>
- Description: The name of the field to calculate the seasonal trend.
Optional arguments
- <type>
- Syntax: add() | mult()
- Description: Specify the type of x11 to compute, additive or multiplicative.
- Default: mult()
- <period>
- Syntax: <int>
- Description: The period of the data relative to the number of data points, expressed as an integer between 5 and 1000. If the period is 7, the command expects the data to be periodic every 7 data points. If you omit this parameter, Splunk software calculates the period automatically. The algorithm does not work if the period is less than 5 and will be too slow if the period is greater than 1000.
- <newfield>
- Syntax: <string>
- Description: Specify a field name for the output of the
x11
command. - Default: None
Examples
Example 1: In this example, the type is the default mult
and the period is 15. The field name specified is count
.
index=download | timechart span=1d count(file) as count | x11 mult15(count)
Because span=1d, every data point accounts for 1 day. As a result, the period in this example is 15 days.
You can change the syntax in this example to ... | x11 15(count)
because the mult
type is the default type.
Example 2: In this example, the type is add
and the period is 20. The field name specified is count
.
index=download | timechart span=1d count(file) as count | x11 add20(count)
See also
where | xmlkv |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!