Hi have updated the query with * in license_usage.log but still it throws an error as command="predict", No data

index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=license_usage.log type=RolloverSummary
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=license_usage.log type=RolloverSummary
| bin _time span=1d
| stats latest(stacksz) AS stacksz by _time, host
| stats sum(stacksz) AS stacksz by _time
| stats latest(stacksz) AS stacksz by _time ]
| fields - _timediff
| streamstats time_window=120d p89(volume) as runningVol max(volume) as maxVol
| where volume > 0
| predict runningVol maxVol volume future_timespan=120 algorithm=LLP5
| foreach ""
[ eval <>=round('<>'/1024/1024/1024, 3)]

So kindly help please.

@soutamo,

When i ran the query from 18th Feb 2019 to 18th Feb 2020 it throws an error as command="predict", No data

So kindly help on this.

Hi this assumes that you have that data in _internal index. If your retention time for that is smaller then this didn't work. Splunk defaults for this is quite small if I recall right.

Just try to see if you have that data:

index=_internal source=license_usage.log type=RolloverSummary earliest=-2y latest=now
| timechart span=1mon count

Another place to check it is MC and there Indexes & volumes.

r. Ismo

What this query shows:

index=_internal source=*license_usage.log type=RolloverSummary earliest=-1y latest=now
| timechart span=1mon count

This query shows the stats in months from last year till this month in count .

If you don't know your LM then just remove "(host=LIC_SRV_1 OR host=LIC_SRV_2)" those from above query (on both main and subquery). Then it should work.

 index=_internal  source=*license_usage.log* type=RolloverSummary 
 | bin _time span=1d 
 | stats latest(b) AS b by slave, pool, _time 
 | timechart span=1d sum(b) AS "volume" fixedrange=false 
 | join type=outer _time 
     [ search index=_internal source=*license_usage.log* type=RolloverSummary 
     | bin _time span=1d 
     | stats latest(stacksz) AS stacksz by _time, host 
     | stats sum(stacksz) AS stacksz by _time 
     | stats latest(stacksz) AS stacksz by _time ] 
 | fields - _timediff 
 | streamstats time_window=30d p89(volume) as runningVol max(volume) as maxVol 
 | where volume > 0 
 | predict runningVol maxVol volume future_timespan=120 algorithm=LLP5 
 | foreach "*" 
     [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

@isoutamo

I ran the query & there are no results when i ran for All time, or even Last 30 days, or last 24 hours.

index=_internal source=license_usage.log type=RolloverSummary earliest=-2y latest=now
| timechart span=1mon count

So how can i check the prediction for future?

Then you probably haven't access to this _internal index? Without current data you cannot predict it with this query.

r. Ismo

When i ran the query with _internal i can see the logs and kindly note i am the admin of our Splunk Cloud and i can able to see the logs

I have corrected the query and now i can able to see logs.

index=_internal source=*license_usage.log type=RolloverSummary earliest=-2y latest=now
| timechart span=1mon count

I have ran it for all time and the data has been split in months and it shows in count.

so how can i predict for future.

Hi have updated the query with * in license_usage.log but still it throws an error as command="predict", No data

index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=license_usage.log type=RolloverSummary
| bin _time span=1d
| stats latest(b) AS b by slave, pool, _time
| timechart span=1d sum(b) AS "volume" fixedrange=false
| join type=outer _time
[ search index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=license_usage.log type=RolloverSummary
| bin _time span=1d
| stats latest(stacksz) AS stacksz by _time, host
| stats sum(stacksz) AS stacksz by _time
| stats latest(stacksz) AS stacksz by _time ]
| fields - _timediff
| streamstats time_window=120d p89(volume) as runningVol max(volume) as maxVol
| where volume > 0
| predict runningVol maxVol volume future_timespan=120 algorithm=LLP5
| foreach ""
[ eval <>=round('<>'/1024/1024/1024, 3)]

So kindly help please.

Have you change those LIC_SRV_1 and LIC_SRV_2 to your current license master? And if you have only one LM then just LIC_SRV_2 away from main and subquery.

aah. it seems that this editor has removed couple of * away from that query 😞

index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=*license_usage.log* type=RolloverSummary 
| bin _time span=1d 
| stats latest(b) AS b by slave, pool, _time 
| timechart span=1d sum(b) AS "volume" fixedrange=false 
| join type=outer _time 
    [ search index=_internal (host=LIC_SRV_1 OR host=LIC_SRV_2) source=*license_usage.log* type=RolloverSummary 
    | bin _time span=1d 
    | stats latest(stacksz) AS stacksz by _time, host 
    | stats sum(stacksz) AS stacksz by _time 
    | stats latest(stacksz) AS stacksz by _time ] 
| fields - _timediff 
| streamstats time_window=30d p89(volume) as runningVol max(volume) as maxVol 
| where volume > 0 
| predict runningVol maxVol volume future_timespan=120 algorithm=LLP5 
| foreach "*" 
    [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

Hi Ismo,

Thank you I have modified the host name field with our cluster master name then i can able to see some results. I have ran the query from last April 2019 till yesterday Feb 18 2020 and i can able to see around 186 data as statistics and 500+ Events.

Actually there are multiple fields such as mentioned below:
When i switch to statistics tab there is a table format with following details.
_ time : In this field i can able to see in April 2019 1 stats data, July 2019 1 stats data and in Aug 1 stats data then from Dec 20th 2019 till data i have the statistics information.

volume : It explains about the daily license usage which we have utilized till date.

Can you kindly explain how this fields are getting extracted and also please explain the LLP5 algorithm

lower95(prediction(maxVol))
lower95(prediction(runningVol))
lower95(prediction(volume))
maxVol
prediction(maxVol)
prediction(runningVol)

prediction(volume)
runningVol
stacksz
upper95(prediction(maxVol))
upper95(prediction(runningVol))
upper95(prediction(volume))

Hi

Easiest way to look this is to use Visualization tab. It shows graphically current and predicted values. For more detailed level information can see on Statistics tab.

Most of those you can found from https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Predict.

maxVol - maximum daily indexed data (from beginning of search time)
runningVol - daily indexed data per day
stacksz - Current Splunk License size per day

And if you need more information about those prediction algorithms then e.g. wikipedia helps you.

r. Ismo

Thank you Ismo.

The provided link seems to be not working let me google it as you mentioned.

Please drop the last dot . away, then it works.

Predict needs that you have enough many "bucket" existing data for predicting. Please check it from documentation and then update those values which I have used based on how much current data you have.

t. Ismo

@Nick,

If i use the 1st query the results are popping as events and there is no stats for that with the information. I have searched for last 30 days but the data are in the form of events and there are no stats. Yesterday also it exceeded above 90% but still i cant able to fetch the data.

Similarly if i use the 2nd query the predict used should predict the future forecast trends i.e. it should be use the previous stats and able to give a forecast for Mar and April 2020.