Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to apply the predict function for the most varying field?

VatsalJagani
SplunkTrust
SplunkTrust
‎05-28-2018 10:43 PM

I'm trying to do something like from my output I just need to apply predict function on most varying field. For example

index=_internal sourcetype=splunkd* | timechart count as Count by sourcetype | predict splunkd_access

I can use above query if I've to write query manually as I know splunkd_access is most varying field, but in my case I've to find most varying field by query (We can do this by using stdev command with eventstats). And then for field with highest stdev I need to apply predict function, I also want to remove other fields like splunkd, splunkd_ui_access, so it won't show up in the chart.

Two ways that I know to solve this problem is custom command and java script. But if possible I want to solve it query only.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-29-2018 12:52 AM

Hi @VatsalJagani,

Can you please try following search?

index=_internal sourcetype=splunkd* 
| timechart useother=f count as Count by sourcetype where stdev in top1 
| foreach "*" 
    [ eval column_value='<<FIELD>>', column_name="<<FIELD>>" ] 
| table _time column_value column_name 
| predict column_value 
| eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)',
"lower95(prediction({column_name}))"='lower95(prediction(column_value))',
"upper95(prediction({column_name}))"='upper95(prediction(column_value))' 
| fields - column_value column_name "prediction(column_value)" 
"lower95(prediction(column_value))" "upper95(prediction(column_value))" "upper95(prediction())" "lower95(prediction())" "prediction()"

Here, to find most varying fields, I have used stdev- as you mentioned in question- in where clause after timechart. This will give 2 columns: _time and splunkd - it would be as per the events.

 | timechart useother=f count as Count by sourcetype where stdev in top1

Another challenge is to pass column name in predict command. For that I h ave used:

 | foreach "*"  [ eval column_value='<<FIELD>>', column_name="<<FIELD>>" ]

this will give me column_name- which will hold original column name- and column_value-which will hold value of that column.

Now we can use the predict command.

| predict column_value

As we need only few columns with proper field names. I have evaled new columns:

| eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)',
 "lower95(prediction({column_name}))"='lower95(prediction(column_value))',
 "upper95(prediction({column_name}))"='upper95(prediction(column_value))'

and removing extra columns:

| fields - column_value column_name "prediction(column_value)" 
 "lower95(prediction(column_value))" "upper95(prediction(column_value))" "upper95(prediction())" "lower95(prediction())" "prediction()"

Please implement it and do required changes in search as per your requirement.

Let me know if any issue,

Thanks
Kamlesh

Happy Splunking

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-29-2018 12:52 AM

Hi @VatsalJagani,

Can you please try following search?

index=_internal sourcetype=splunkd* 
| timechart useother=f count as Count by sourcetype where stdev in top1 
| foreach "*" 
    [ eval column_value='<<FIELD>>', column_name="<<FIELD>>" ] 
| table _time column_value column_name 
| predict column_value 
| eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)',
"lower95(prediction({column_name}))"='lower95(prediction(column_value))',
"upper95(prediction({column_name}))"='upper95(prediction(column_value))' 
| fields - column_value column_name "prediction(column_value)" 
"lower95(prediction(column_value))" "upper95(prediction(column_value))" "upper95(prediction())" "lower95(prediction())" "prediction()"

Here, to find most varying fields, I have used stdev- as you mentioned in question- in where clause after timechart. This will give 2 columns: _time and splunkd - it would be as per the events.

 | timechart useother=f count as Count by sourcetype where stdev in top1

Another challenge is to pass column name in predict command. For that I h ave used:

 | foreach "*"  [ eval column_value='<<FIELD>>', column_name="<<FIELD>>" ]

this will give me column_name- which will hold original column name- and column_value-which will hold value of that column.

Now we can use the predict command.

| predict column_value

As we need only few columns with proper field names. I have evaled new columns:

| eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)',
 "lower95(prediction({column_name}))"='lower95(prediction(column_value))',
 "upper95(prediction({column_name}))"='upper95(prediction(column_value))'

and removing extra columns:

| fields - column_value column_name "prediction(column_value)" 
 "lower95(prediction(column_value))" "upper95(prediction(column_value))" "upper95(prediction())" "lower95(prediction())" "prediction()"

Please implement it and do required changes in search as per your requirement.

Let me know if any issue,

Thanks
Kamlesh

Happy Splunking

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-29-2018 02:35 AM

Hi @kamlesh_vaghela,
I work around your solution, this is amazing. I've also added something to make look it actually like predict function. See query below.

index=_internal sourcetype=splunkd* 
| timechart span=1m useother=f count as Count by sourcetype where stdev in top1 
| foreach "*" 
    [ eval column_value='<<FIELD>>', column_name="<<FIELD>>" ] 
| predict column_value future_timespan=14 
| filldown column_name 
| eval {column_name}=column_value, "prediction({column_name})"='prediction(column_value)',
    "lower95(prediction({column_name}))"='lower95(prediction(column_value))',
    "upper95(prediction({column_name}))"='upper95(prediction(column_value))' 
| eval _lower = "lower95(prediction(".column_name."))", _upper = "upper95(prediction(".column_name."))", _predicted = "prediction(".column_name.")" 
| fields - column_value column_name "prediction(column_value)" 
    "lower95(prediction(column_value))" "upper95(prediction(column_value))"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...