Splunk Search

How to edit my timechart search to predict when the Top N subnets will run out of Free addresses?

jreddy
New Member
  • Currently, my line chart is showing predict vales for the given subnets i.e when the subnets will run out of Free address (Time in month and year)
  • And my input for example as 'default/17.0.1.0/24'.
  • The chart shows time in X-Axis and "Free addresses" in Y-Axis.

My current requirement is instead of input network ('default/17.0.1.0/24'), we need to take a new input filter 'Top N'

  • So, we need to predict when the Top N subnets will run out of Free addresses.
  • The top N lines will show lines for Top N subnets whose free address will exhaust first. Each line will represent the subnet.
  • I tried the foreach command, but not able to apply the predict. Looks like foreach command is basically doing some operations on certain field sets, mainly evals, not sure where can we apply that with the current requirement. Any suggestions please.

my search string is something like below:

| eval Free=address_total-dhcp_hosts
| stats max(Free) as Free by _time  view_network
| timechart  max(Free) as "Free Addresses"
| forecast "Free Addresses" future_timespan=150 as Prediction

Appreciate if any suggestions/ideas on how to achieve this.

0 Karma

thomrs
Communicator

Try streamstats to set the value of free IPS at the time and use predict to look ahead.

0 Karma

HattrickNZ
Motivator

like predict don't think this can be done see here

0 Karma
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...