topic Re: Use predict with dynamic values in MLTK in Splunk Search

Use predict with dynamic values in MLTK

Deniz_Oe — Tue, 16 Jun 2020 13:03:00 GMT

Hey!

So I am trying to hand the Kalman filter in Splunk's MLTK a dynamic value for the period which I first find through Auto correlation Function in the sub search and is named corr_lag:

index = cisco_prod | timechart span=1h count as logins_hour |eval corr_lag= [`ACF_Correlation_Lag`]| predict "logins_hour" as prediction algorithm=LLP holdback=200 future_timespan=368 period=corr_lag upper95=upper95 lower95=lower95 | `forecastviz(368, 200, "logins_hour", 95)`

the sub search looks as follows:

Somehow I must do something wrong because I always get the following error:

command="predict", Invalid period : 'corr_lag'

the subsearch actually works fine and gives me the right period back.

Can somebody help me find the right way to do this?

Thanks!

Re: Use predict with dynamic values in MLTK

dmarling — Tue, 16 Jun 2020 15:36:13 GMT

Hello @Deniz_Oe,

You have a syntax issue with the predict command. The period predict command option requires a number to be present after it, it will not accept values from another field per the documentation: https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Predict

period
Syntax: period=<num>
Description: Specifies the length of the time period, or recurring cycle, in the time series data. The number must be at least 2. The LLP and LLP5 algorithms attempt to compute the length of time period if no value is specified. If you specify the span argument with the timechart command, the unit that you specify for span is the unit used for period. For example, if your search is ...|timechart span=1d foo2| predict foo2 period=3. The spans are 1 day and the period for the predict is 3 days. Otherwise, the unit for the time period is a data point. For example, if there are a thousand events, then each event is a unit. If you specify period=7, that means the data recycles after every 7 data points, or events.
Default: None

What you are trying to do still can be accomplished, but you need to use the map command to execute your query so it passes a token of the numeric value from your macro to execute your query:

index = cisco_prod | timechart span=1h count as logins_hour | fit ACF logins_hour k=200 fft=true conf_interval=95 as corr | top limit=2 acf(corr),Lag | stats max(Lag) as corr_lag | map search="index = cisco_prod | timechart span=1h count as logins_hour | predict \"logins_hour\" as prediction algorithm=LLP holdback=200 future_timespan=368 period=$corr_lag$ upper95=upper95 lower95=lower95"

Re: Use predict with dynamic values in MLTK

Deniz_Oe — Wed, 17 Jun 2020 06:48:45 GMT

Hey @dmarling ,

thanks for the quick answer! However, if I now run the query

It returns no results. I have not worked yet with map search, so I don't know if I have to do anything additional for it to work.

Would be grateful for further advice, thanks!

EDIT: adding a "search=" into the map search did the trick, thanks!