topic Re: predict function query in Splunk Search

predict function query

jiaqya — Thu, 02 May 2019 09:38:58 GMT

at time i find the predict function predicts values over 100% based on historical data.
is there anything i can configure to ensure the predicted value does not go over 100%, ie cutoff at 100%, or set max value as 100% ?

basically want to limit the predict value not to go beyond a certain number

john.

Re: predict function query

DavidHourani — Thu, 02 May 2019 09:49:55 GMT

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

Re: predict function query

jiaqya — Thu, 02 May 2019 09:58:04 GMT

Thanks David, but it does not tell much about limiting the prediction value.

in my case , im trying to get prediction for max cpu, and it seems with 3 months of data, its predicting over 100% of cpu, which is not true, so anything over 100% i would like to eval it to 100.

is there a way to do it via predict function, else would it be ok to do it with eval..

Re: predict function query

DavidHourani — Thu, 02 May 2019 10:29:47 GMT

Hey again @jiaqya, all available options for the predict commands are in the reference sheet. I went through it again and there is no max boundary that can be set which means the only way to avoid these weird over 100% predictions is to use predict followed by eval setting the maximum value. Let me know if you're not able to build the eval I'll help you out with it 🙂

Re: predict function query

jiaqya — Thu, 02 May 2019 10:32:05 GMT

Thanks for helping David, i was having trouble evaluating the fields.

the field is maxCPU

after predict i get a field called prediction(maxCPU)

i was not able to eval this field due to the nature of function in it, due to brackets.

i was trying below, didnt work, see if you can help.

eval prediction(maxCPU)=if(prediction(maxCPU)>100,100,prediction(maxCPU))

Re: predict function query

DavidHourani — Thu, 02 May 2019 10:40:04 GMT

Try using the eval as follows :

|eval prediction(maxCPU)=if('prediction(maxCPU)'>100,100,'prediction(maxCPU)')

Re: predict function query

jiaqya — Thu, 02 May 2019 11:19:14 GMT

Thanks ,that worked...

Re: predict function query

DavidHourani — Thu, 02 May 2019 11:20:54 GMT

awesome 😉