https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505683#M141376 <P>Well , I want to create an alert which alert me whenever there is spike in Errors. Currently we are comparing say past 30m count with last 2 week same time same date and comparing with 2w average. But I want to create a near real time alert as it can be false positive this way.&nbsp;</P><P>My errors are like some are trending some come only at time of issues and some are like more during peak business hours and less during off business hours but I want to capture the real spikes like avoiding it to trigger when we move from non business to business hours. I was hoping if I can use predict command to do that but not clear with all algos and if that is right thing to use here.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=rxc sourcetype="rxcapp" (level=ERROR) earliest=-30m@m latest=@m|rex "Id:\s*(?&lt;Id&gt;\d+)," | search [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site|bucket _time span=5m| stats count by _time error_msg site| predict lower95=lower upper95=upper algorithm=LLP5 count as predict| where count&gt;'upper(predict)'|stats latest(count) by error_msg site</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>will this be helpful or this is wrong ? Can predict be used this way with stats command ?or any other suggestion on approach.&nbsp;</P> Tue, 23 Jun 2020 09:01:04 GMT ksharma7 2020-06-23T09:01:04Z https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505683#M141376 <P>Well , I want to create an alert which alert me whenever there is spike in Errors. Currently we are comparing say past 30m count with last 2 week same time same date and comparing with 2w average. But I want to create a near real time alert as it can be false positive this way.&nbsp;</P><P>My errors are like some are trending some come only at time of issues and some are like more during peak business hours and less during off business hours but I want to capture the real spikes like avoiding it to trigger when we move from non business to business hours. I was hoping if I can use predict command to do that but not clear with all algos and if that is right thing to use here.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=rxc sourcetype="rxcapp" (level=ERROR) earliest=-30m@m latest=@m|rex "Id:\s*(?&lt;Id&gt;\d+)," | search [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site|bucket _time span=5m| stats count by _time error_msg site| predict lower95=lower upper95=upper algorithm=LLP5 count as predict| where count&gt;'upper(predict)'|stats latest(count) by error_msg site</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>will this be helpful or this is wrong ? Can predict be used this way with stats command ?or any other suggestion on approach.&nbsp;</P> Tue, 23 Jun 2020 09:01:04 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505683#M141376 ksharma7 2020-06-23T09:01:04Z https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505819#M141431 <P>I'm skeptical that <STRONG>predict</STRONG> would be the right way to do that.&nbsp;</P><P>It seems like the right thing to do would be, each night off peak, to calculate the next day's boundaries <EM>once</EM>&nbsp; for each 5, 10 or 15 minute increment, and output those times and limits to a lookup table.</P><P>Then, you'd just have to calculate the current errors and read the lookup table to get the limits for whatever <STRONG>_time</STRONG> and <STRONG>site</STRONG>&nbsp;you are running and test the compliance.&nbsp;</P><P>&nbsp;</P> Tue, 23 Jun 2020 19:07:59 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505819#M141431 DalJeanis 2020-06-23T19:07:59Z https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505869#M141494 <P>Yeah , then I think it is good the way I am using it currently like comparing with two week average count</P> Wed, 24 Jun 2020 05:05:41 GMT https://community.splunk.com/t5/Splunk-Search/Use-of-predict-command-for-alerting/m-p/505869#M141494 ksharma7 2020-06-24T05:05:41Z