All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I predict the number of events sent for each host in the Splunk Machine Learning Toolkit?

davietch
Path Finder
‎04-03-2018 05:07 AM

Hi,

I am using the MachineLearning Toolkit in order to predict how many events each host are usually sending.
To do so, I selected the "Predict Numeric Fields" showcase and created the following command:

| tstats count where index=*  by host,_time span=1h
|eval date_wday=strftime(_time,"%w"), date_hday=strftime(_time,"%H")

This gives me the number of event per host for each hour. I also compute 2 fields: the weekday and the hour of the day.

But when I run the Linear Regression with "count" field to predict and the "host", "date_wday" and "date_hday" as used fields for predicting, the result is awful.
When I filter on just one host, the prediciting is working quite well but as soon as there are severals hosts names, the ML does not work.

Any idea how to create a model that take in account the name of the host? Maybe some preprocessing?

Thanks

0 Karma
Reply

jcoates
Communicator
‎04-03-2018 07:09 PM

I expect that means that each host is a different context with different data and needs a different linear regression. If they were all the same then the model of one's past would predict future for all the others. Since your results show that isn't true...

0 Karma
Reply

davietch
Path Finder
‎04-04-2018 12:28 AM

Yes they all have a different behavior, but I can not create a model for my 20K Forwarders.... Can I? I bet there is a more clever solution..

0 Karma
Reply

jcoates
Communicator
‎04-04-2018 08:34 AM

do groups behave similarly? Can you make a model for each group?

0 Karma
Reply

davietch
Path Finder
‎04-05-2018 12:26 AM

I do not have groups... They all behave differently

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...