How to to apply the predict function in the count ...

avni26 · ‎09-04-2023

I have use case to use the ML feature to detect the anamoly in comm sent from each ID.
I was trying to get the same from predict function, but there is multiple ID's and I can't set an alert/report individually for all ID's.
How I can use the same, Please help.

Query which I am trying:

index=indexhc source=hcdriver sourcetype="assembly" appname="marketing" ID IN (abc,xyz,qtr,jyk,klo,mno,ghr)
| timechart span=1d count as commSent by ID
| predict commSent as predicted_commSent algorithm=LLP holdback=0 future_timespan=24
| eval anamoly_score=if(isnull(predicted_commSent),0,abs(commSent - predicted_commSent))
|table _time,ID,commSent,predicted_commSent,anamoly_score

Above query is not giving any output,it seems predict command doesnot work with multiple columns.

Please suggest.

yuanliu · ‎09-04-2023

Field names after timechart with groupby are not commSent, but the values of the groupby field, i.e., values of ID. (You can examine Statistics tab to confirm this.) You need to enumerate these values. Say, you have five values ID1, ID2, ID3, ID4, ID5, you do

index=indexhc source=hcdriver sourcetype="assembly" appname="marketing" ID IN (abc,xyz,qtr,jyk,klo,mno,ghr) 
| timechart span=1d count as commSent by ID
| predict ID1 as predicted_ID1 ID2 as predicted_ID2 ID3 as predicted_ID3 ID4 as predicted_ID4 ID5 as predicted_ID5 algorithm=LLP holdback=0 future_timespan=24

(Then you will need to figure out what to do with these 10 additional series.) Hope this helps.

How to to apply the predict function in the count of each Id?

chart

eval

fields

search job inspector

stats

subsearch

timechart

tstats

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform