How to edit my timechart search to predict when th...

jreddy · ‎02-26-2016

Currently, my line chart is showing predict vales for the given subnets i.e when the subnets will run out of Free address (Time in month and year)
And my input for example as 'default/17.0.1.0/24'.
The chart shows time in X-Axis and "Free addresses" in Y-Axis.

My current requirement is instead of input network ('default/17.0.1.0/24'), we need to take a new input filter 'Top N'

So, we need to predict when the Top N subnets will run out of Free addresses.
The top N lines will show lines for Top N subnets whose free address will exhaust first. Each line will represent the subnet.
I tried the foreach command, but not able to apply the predict. Looks like foreach command is basically doing some operations on certain field sets, mainly evals, not sure where can we apply that with the current requirement. Any suggestions please.

my search string is something like below:

| eval Free=address_total-dhcp_hosts
| stats max(Free) as Free by _time  view_network
| timechart  max(Free) as "Free Addresses"
| forecast "Free Addresses" future_timespan=150 as Prediction

Appreciate if any suggestions/ideas on how to achieve this.

thomrs · ‎05-12-2016

Try streamstats to set the value of free IPS at the time and use predict to look ahead.

HattrickNZ · ‎03-23-2016

like predict don't think this can be done see here

How to edit my timechart search to predict when the Top N subnets will run out of Free addresses?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?