Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use predict command in tabular format?

Taruchit
Contributor
‎10-18-2023 12:28 PM

Hello All,

I have data in the form of a table with two fields: index, sourcetype. Each row has unique pair of values for the two fields.

I need your guidance to compute and publish the forecast value for number of events  next day based on historical data fetched for each row on the basis of corresponding index and sourcetype.

Any inputs and guidance will be very helpful.

Thank you
Taruchit

Labels (3)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-19-2023 12:47 AM

Hi

predict needs a time series data for make a forecast. Also it needs enough datapoints to do that forecast.

Based on your need you should/could select user algorithm and other needed parameters or use just predict with field lists like

index=_internal source=*/var/log/splunk/*.log
| timechart count by sourcetype
| fields splunkd splunkd_access
| predict splunkd splunkd_access

Could you share your current data (inside "</>" block)?

r. Ismo

0 Karma
Reply

Taruchit
Contributor
‎10-19-2023 04:02 AM

Hello @isoutamo,

The data is in the lookup file is in the form below, I need to read data from each row and compute the results: -

index   sourcetype
-----------------------
idx1    s1
idx2    s2
idx3    s3
idx1    s4

Now I need to compute and display results of each row by running predict command on each of them.

 The base query that I have built for running predict command that will fetch the forecast values for each row: -

index=custom_index orig_index=idx1 orig_sourcetype=s1 earliest=-4w@w latest=-2d@d
| timechart span=1d avg(event_count) AS avg_event_count 
| predict avg_event_count
| tail 1
| fields prediction(avg_event_count)

 
Please share if you need any more details from my end. I hope to seek your inputs on solving the problem.

Thank you

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-19-2023 04:57 AM
How many (approximately) index sourcetype pairs you have? Only those few or e.g. tens/hundreds?
0 Karma
Reply

Taruchit
Contributor
‎10-19-2023 05:03 AM

Hi @isoutamo,

The current count is under 150.

Thank you

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-01-2023 12:45 AM

As long as you have only some pairs you could try map command https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map

But you must follow up it's memory and other resource usage and when needed switch to other way to do it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...