To invoke forecasting on multiple time series, you simply just need an ML job that is modeling multiple time series. Let's assume that we have an ML job that has analyzed web requests per country. We may have over 200 unique time series in our weblogs because of the diverse clientele that visit our website. In an ML job, in the logs that were collected by Filebeat, we have elected to configure a multi-metric job of the count of requests for every tnginx.access.geoip.country_iso_code:
When we click the Forecast button in the Single Metric Viewer, the forecast will automatically be run for all detectors and partitions (even if there are hundreds or more). Alternatively, you can use the _forecast API endpoint to invoke the forecast. To do so, in the Dev Tools Console, we could issue this request:
POST _xpack/ml/anomaly_detectors/web_traffic_per_country/_forecast
{
"duration": "7d"
}
The immediate response from the API call is as follows:
{
"acknowledged" : true,
"forecast_id" : "DGT6bWgBITRq2rXMb1Rr"
}
The results of our forecast request will be available for viewing either in the Single Metric Viewer or programmatically by querying the results indices, as demonstrated earlier. For example, we can see that the forecast for the US (nginx.access.geoip.country_iso_code) appears as follows:
This is significantly different in volume than that of Vietnam (nginx.access.geoip.country_iso_code VN):
As you can see, the forecast is done per time series, automatically. Again, this could be extremely useful for capacity planning use cases where hundreds or possibly thousands of entities need to be analyzed and forecast to see if any pending breaches in the near future are possible.