Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude fields from LinearRegression command/use subsearch to generate fields for LinearRergession ?

achervov
Engager
‎07-25-2018 03:03 AM

Consider fit LinearRegression
| fit LinearRegression "name2predict" from "f1" "f2" into "test_model"

Question 0
What are flexebilities defining the FEATURE LIST -- i.e. from "f1" "f2" ?

SubQuestion 1
Is it possible to write something like
NOT "f1" - exclude "f1"
or something like f1* OR f2*
etc ?

SubQuestion 2 Can we use somehow subsearch to generate fields list ?

If no simple way to do it what are some ways round ?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎07-25-2018 08:41 AM

If you wanted to exclude f1 then you should not include it as your explanatory field.. Why would you want to choose f1 OR f2? Why not just include both and let the machine determine which feature to put emphasis on? You can run | summary <model_name> to identify how much impact each feature has on the target function.

Why do you mean using a sub-search to generate a fields list? Are you referring to making the data available so you can fit your model? If so, then you can use whatever you want just as long as the data is available before the fit command. One thing to consider though is speed and scale. You need to make sure your search is fast so it can run on a consistent basis so the machine can keep learning and adapting

0 Karma
Reply

achervov
Engager
‎07-25-2018 11:43 PM

To make explicit description of fields names is very inconvenient in my case, because that names can be changed. I want to exclude very specific name like "_time" , but I do not want to exclude by previous "field - _time" command, because then it will dispappear from the whole pipiline, so it would be impossible to plot by next command "table _time, error". By using subsearch I mean something like [ | mcatalog | return ??? ] put such expression instead of explicit fields list.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...