Anomaly detection based on relationships between multiple time series

What is claimed is: 1. A computer-implemented method comprising: obtaining sequences of time series values determined from raw machine data, each sequence corresponding to a respective time series, wherein the raw machine data is produced by one or more components within an information technology or security environment and reflects activity within the information technology or security environment; generating a plurality of predictive models for a first time series from the sequences of time series values, each predictive model to generate predicted values associated with the first time series using time series values corresponding to a second time series; evaluating one or more characteristics of the plurality of predictive models; and automatically selecting a predictive model from the plurality of predictive models for anomaly detection based on the evaluating of the one or more characteristics. 2. The method of claim 1 , further comprising applying the selected predictive model to subsequently received time series values to detect an anomaly. 3. The method of claim 1 , further comprising in response to detection of an anomaly using the selected predictive mode, causing transmission of an indication of the anomaly. 4. The method of claim 1 , wherein the evaluating comprises, for each of the plurality of predictive models, determining an error between the corresponding predicted values and values associated with the first time series, wherein the selecting of the predictive model is based on the error of the predictive model. 5. The method of claim 1 , wherein the sequences of time series values correspond to at least one of performance metrics or security-related metrics. 6. The method of claim 1 , wherein a first of the plurality of predictive models corresponds to a different set of time series than a second of the plurality of predictive models. 7. The method of claim 1 , wherein a first of the plurality of predictive models is a polynomial model, a second of the predictive models is a neural network, and a third predictive model is a decision tree model. 8. The method of claim 1 , wherein the obtaining of the sequences of time series values is from one or more streams of time series data. 9. The method of claim 1 , wherein the one or more characteristics correspond to residuals between the predicted values of one or more of the plurality of predictive models and time series values associated with the first time series. 10. The method of claim 1 , wherein the one or more characteristics are based on a first explanatory value associated with a model type of a first of the plurality of predictive models and a second explanatory value associated with a different model type of a second of the plurality of predictive models. 11. The method of claim 1 comprising: training a subset of the plurality of predictive models based on the one or more characteristics; and evaluating the subset of the plurality of predictive models based on the training, wherein the predictive model is selected for the anomaly detection from the subset based on the evaluating. 12. The method of claim 1 comprising: training the plurality of predictive models using first portions of the sequences of time series values corresponding to a training period; and evaluating second portions of the sequences of time series values corresponding to a prediction period, wherein the one or more characteristics are based on the evaluated second portions. 13. The method of claim 1 , further comprising clustering the sequences of time series values into a plurality of clusters, wherein the first time series corresponds to a representative time series of a first of the plurality of clusters and the second time series corresponds to at least one time series in a second cluster of the plurality of clusters. 14. The method of claim 1 , wherein the obtaining of the sequences of time series values is responsive to a user interaction associated with the sequences of the series values. 15. The method of claim 1 , wherein the values of the second time series correspond to events, each event comprising a time stamp and a portion of raw data. 16. The method of claim 1 , wherein each data point of the second time series is associated with a respective time stamp of a respective event. 17. The method of claim 1 , generating the time series values from event data using a late-binding schema. 18. The method of claim 1 , wherein the predicted values are associated with later times than the values of the second time series used to generate the predictive model. 19. The method of claim 1 , further comprising causing an explanatory message to be presented based on the anomaly detection, the explanatory message indicating a predicted relationship corresponding to the predictive model and an observed relationship associated with an anomaly. 20. The method of claim 1 , wherein the selecting is of multiple models from the plurality of predictive models based on the evaluating of the one or more characteristics, and the anomaly is detected using the multiple models. 21. One or more non-transitory computer-readable storage media having instructions stored thereon, wherein the instructions, when executed by one or more processors, cause the one or more processors to perform a computer-implemented method comprising: obtaining sequences of time series values determined from raw machine data, each sequence corresponding to a respective time series, wherein the raw machine data is produced by one or more components within an information technology or security environment and reflects activity within the information technology or security environment; generating a plurality of predictive models for a first time series from the sequences of time series values, each predictive model to generate predicted values associated with the first time series using time series values corresponding to a second time series; evaluating one or more characteristics of the plurality of predictive models; and automatically selecting a predictive model from the plurality of predictive models for anomaly detection based on the evaluating of the one or more characteristics. 22. The non-transitory one or more computer-readable storage media of claim 21 , wherein the evaluating comprises, for each of the plurality of predictive models, determining an error between the corresponding predicted values and values associated with the first time series, wherein the selecting of the predictive model is based on the error of the predictive model. 23. The non-transitory one or more computer-readable storage media of claim 21 , wherein the sequences of time series values correspond to at least one of performance metrics, security-related metrics, industrial metrics, behavioral data, or transactional metrics. 24. The non-transitory one or more computer-readable storage media of claim 21 , wherein a first of the plurality of predictive models corresponds to a different set of time series than a second of the plurality of predictive models. 25. The non-transitory one or more computer-readable storage media of claim 21 , wherein a first of the plurality of predictive models is a polynomial model, a second of the predictive models is a neural network, and a third predictive model is a decision tree model. 26. A computer-implemented system comprising: one or more processors; one or more non-transitory