https://community.splunk.com/t5/Splunk-Search/predict-per-host/m-p/380134#M111283 <P>There are already some similar questions here, but we're not getting to an answer so far.<BR /> We would like to predict when the Free Disk Space counter is below a certain value for each host in the index.<BR /> An example for one host can be written and alerted on as follows:</P> <PRE><CODE>index=perfmon host=server1 instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" | timechart min(Value) as "Free Space" | predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 | where p_free_space&lt;=5 | sort _time | head 1 | fields _time host </CODE></PRE> <P>The map command should give us the possibility to do this for multiple hosts, but we're missing something:</P> <PRE><CODE>index=perfmon (host=server1 OR host=server2) | dedup host | map [search index=perfmon host=$host$ instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" | timechart min(Value) as "Free Space" | predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 | where p_free_space&lt;=5 ] </CODE></PRE> <P>Anybody who can tell what we're missing...?<BR /> Thanks!</P> Tue, 26 Mar 2019 09:55:09 GMT deangoris 2019-03-26T09:55:09Z https://community.splunk.com/t5/Splunk-Search/predict-per-host/m-p/380134#M111283 <P>There are already some similar questions here, but we're not getting to an answer so far.<BR /> We would like to predict when the Free Disk Space counter is below a certain value for each host in the index.<BR /> An example for one host can be written and alerted on as follows:</P> <PRE><CODE>index=perfmon host=server1 instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" | timechart min(Value) as "Free Space" | predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 | where p_free_space&lt;=5 | sort _time | head 1 | fields _time host </CODE></PRE> <P>The map command should give us the possibility to do this for multiple hosts, but we're missing something:</P> <PRE><CODE>index=perfmon (host=server1 OR host=server2) | dedup host | map [search index=perfmon host=$host$ instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" | timechart min(Value) as "Free Space" | predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 | where p_free_space&lt;=5 ] </CODE></PRE> <P>Anybody who can tell what we're missing...?<BR /> Thanks!</P> Tue, 26 Mar 2019 09:55:09 GMT https://community.splunk.com/t5/Splunk-Search/predict-per-host/m-p/380134#M111283 deangoris 2019-03-26T09:55:09Z https://community.splunk.com/t5/Splunk-Search/predict-per-host/m-p/380135#M111284 <P>Hi,</P> <P>Did you looked into MLTK new algorithm StateSpaceforecast which supports multivariate? Checkout the blog below for more information:<A href="https://www.splunk.com/blog/2019/03/20/what-s-new-in-the-splunk-machine-learning-toolkit-4-2.html">https://www.splunk.com/blog/2019/03/20/what-s-new-in-the-splunk-machine-learning-toolkit-4-2.html</A></P> <P>Also, we have now new alerts for Machine learning which can be used in your usecase. Checkout the documentation on statespace forecast here : <A href="https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#StateSpaceForecast">https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#StateSpaceForecast</A></P> <P>Thanks,</P> Tue, 26 Mar 2019 16:56:55 GMT https://community.splunk.com/t5/Splunk-Search/predict-per-host/m-p/380135#M111284 grana_splunk 2019-03-26T16:56:55Z