Splunk Search

How to use predict command?

m7787579
New Member

Date ALLOCATED_GB USED_GB Difference
20/08/2016 580.22 566.57 13.65
21/08/2016 580.22 106.6 473.62
22/08/2016 580.22 80.88 499.34
23/08/2016 580.22 96.34 483.88
24/08/2016 580.22 566.57 13.65
25/08/2016 580.22 107.49 472.73
26/08/2016 580.22 112.1 468.12

I inserted raw date today in Splunk with the help of CSV file

I am getting _time=10/05/2017 only which is of today's date.
Also i have a field name as Date which contains all the date of this month.
I am trying to predict USED_GB on the basis of my date.
But when i try to use predict command to predict USED_GB its not working for me. Timechart is giving me error.

Could any one please help me how can i use predict ?
I have also attached the glimpse of raw data in the form of csv with this question

Tags (3)
0 Karma

niketn
Legend

Try the following:

| eval _time=strptime(Date,"%d/%m/%Y")
| timechart span=1d max(USED_GB) as USED_GB
| predict USED_GB 

PS: If you insert the CSV data to Splunk with correct timestamp recognition, eval statement will not be required. You have only one row per day, however, I am ensuring the same using span=1d and max() aggregation function. Since the issue seems to be with timechart command and not predict, you might have to provide your timechart query and error detail, if the above does not solve the same.

There are several other factors for predict command to work as per your data like algorithm, holdback, correlation, confidence intervals, future timespan etc. Refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

Also you should get the Machine Learning Toolkit (which also requires Python for Scientific Computing Add On to work). You should check out some of Forecast Time Series examples (Your use case is similar to Forecast Internet Traffic data). The app also has links to Video Tutorials and several Tool Tips as well as option to see SPL powering various panels. As a bonus you have some unique Visualizations specifically for Predictions and Detecting Outliers. Try to feed several year of Data to train and fit the model.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

What is the query in which you are using predict?
What error are you getting from timechart?
If _time is only today's date then it means Splunk can't find a date in your data so it's using the current date or the file modification date. Check your timestamp settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...