How to get prediction for next few days for certai...

pramit46 · ‎01-27-2018

I have disk utilization log for which i want to do prediction for next 3 days for the following levels:
location, client, server

Problem is timechart (which is required for the predict command) does not allow more than one field. How do i proceed?
I am using ml app.
My search command is something like this:

Search data| apply model|timechart avg(usage) as avg by location|predict avg future_timespan=3

How do i incorporate client and server in this so that i get prediction for each level?

DalJeanis · ‎01-27-2018

Basically, you can only do one thing at a time. However, you can fake out the system

 Search data
| apply model
| eval mygroupfield=mvappend("L=".location,
    "L=".location."!!!!C=".client,
    "L=".location."!!!!C=".client."!!!!S=".server)
| fields - location client server
| mvexpand mygroupfield
| timechart avg(usage) as avg by mygroupfield
| predict avg future_timespan=3

After that, you can filter or break up the predictions as you choose using something like this:

| rex mygroupfield  "L=(?<location>.+?)(!!!!C=(?<client>.+?))?(!!!!S=(?<server>.+?))?$"

There will be a single record for each location, a record for each location-client, and a record for each location-client-server.

pramit46 · ‎01-28-2018

thanks a lot. but the predict command says cannot find the field avg. when I look into the timechart, I see due to breakup, it shows all the values of mygroupfield but no specific group called avg or avg(usage).
any idea what I can do for this?

How to get prediction for next few days for certain categories?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk