Archive
Highlighted

predict function query

Builder

at time i find the predict function predicts values over 100% based on historical data.
is there anything i can configure to ensure the predicted value does not go over 100%, ie cutoff at 100%, or set max value as 100% ?

basically want to limit the predict value not to go beyond a certain number

john.

Tags (1)
0 Karma
Highlighted

Re: predict function query

SplunkTrust
SplunkTrust

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

View solution in original post

0 Karma
Highlighted

Re: predict function query

Builder

Thanks David, but it does not tell much about limiting the prediction value.

in my case , im trying to get prediction for max cpu, and it seems with 3 months of data, its predicting over 100% of cpu, which is not true, so anything over 100% i would like to eval it to 100.

is there a way to do it via predict function, else would it be ok to do it with eval..

0 Karma
Highlighted

Re: predict function query

SplunkTrust
SplunkTrust

Hey again @jiaqya, all available options for the predict commands are in the reference sheet. I went through it again and there is no max boundary that can be set which means the only way to avoid these weird over 100% predictions is to use predict followed by eval setting the maximum value. Let me know if you're not able to build the eval I'll help you out with it 🙂

0 Karma
Highlighted

Re: predict function query

Builder

Thanks for helping David, i was having trouble evaluating the fields.

the field is maxCPU

after predict i get a field called prediction(maxCPU)

i was not able to eval this field due to the nature of function in it, due to brackets.

i was trying below, didnt work, see if you can help.

eval prediction(maxCPU)=if(prediction(maxCPU)>100,100,prediction(maxCPU))

0 Karma
Highlighted

Re: predict function query

SplunkTrust
SplunkTrust

Try using the eval as follows :

|eval prediction(maxCPU)=if('prediction(maxCPU)'>100,100,'prediction(maxCPU)')

0 Karma
Highlighted

Re: predict function query

Builder

Thanks ,that worked...

Highlighted

Re: predict function query

SplunkTrust
SplunkTrust

awesome 😉

0 Karma