Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use predict command in tabular format?

Taruchit
Contributor
‎10-18-2023 12:28 PM

Hello All,

I have data in the form of a table with two fields: index, sourcetype. Each row has unique pair of values for the two fields.

I need your guidance to compute and publish the forecast value for number of events  next day based on historical data fetched for each row on the basis of corresponding index and sourcetype.

Any inputs and guidance will be very helpful.

Thank you
Taruchit

Labels (3)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-19-2023 12:47 AM

Hi

predict needs a time series data for make a forecast. Also it needs enough datapoints to do that forecast.

Based on your need you should/could select user algorithm and other needed parameters or use just predict with field lists like

index=_internal source=*/var/log/splunk/*.log
| timechart count by sourcetype
| fields splunkd splunkd_access
| predict splunkd splunkd_access

Could you share your current data (inside "</>" block)?

r. Ismo

0 Karma
Reply

Taruchit
Contributor
‎10-19-2023 04:02 AM

Hello @isoutamo,

The data is in the lookup file is in the form below, I need to read data from each row and compute the results: -

index   sourcetype
-----------------------
idx1    s1
idx2    s2
idx3    s3
idx1    s4

Now I need to compute and display results of each row by running predict command on each of them.

 The base query that I have built for running predict command that will fetch the forecast values for each row: -

index=custom_index orig_index=idx1 orig_sourcetype=s1 earliest=-4w@w latest=-2d@d
| timechart span=1d avg(event_count) AS avg_event_count 
| predict avg_event_count
| tail 1
| fields prediction(avg_event_count)

 
Please share if you need any more details from my end. I hope to seek your inputs on solving the problem.

Thank you

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-19-2023 04:57 AM
How many (approximately) index sourcetype pairs you have? Only those few or e.g. tens/hundreds?
0 Karma
Reply

Taruchit
Contributor
‎10-19-2023 05:03 AM

Hi @isoutamo,

The current count is under 150.

Thank you

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-01-2023 12:45 AM

As long as you have only some pairs you could try map command https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map

But you must follow up it's memory and other resource usage and when needed switch to other way to do it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...