Splunk Search

How to use predict command?

New Member

20/08/2016 580.22 566.57 13.65
21/08/2016 580.22 106.6 473.62
22/08/2016 580.22 80.88 499.34
23/08/2016 580.22 96.34 483.88
24/08/2016 580.22 566.57 13.65
25/08/2016 580.22 107.49 472.73
26/08/2016 580.22 112.1 468.12

I inserted raw date today in Splunk with the help of CSV file

I am getting _time=10/05/2017 only which is of today's date.
Also i have a field name as Date which contains all the date of this month.
I am trying to predict USED_GB on the basis of my date.
But when i try to use predict command to predict USED_GB its not working for me. Timechart is giving me error.

Could any one please help me how can i use predict ?
I have also attached the glimpse of raw data in the form of csv with this question

Tags (3)
0 Karma


Try the following:

| eval _time=strptime(Date,"%d/%m/%Y")
| timechart span=1d max(USED_GB) as USED_GB
| predict USED_GB 

PS: If you insert the CSV data to Splunk with correct timestamp recognition, eval statement will not be required. You have only one row per day, however, I am ensuring the same using span=1d and max() aggregation function. Since the issue seems to be with timechart command and not predict, you might have to provide your timechart query and error detail, if the above does not solve the same.

There are several other factors for predict command to work as per your data like algorithm, holdback, correlation, confidence intervals, future timespan etc. Refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

Also you should get the Machine Learning Toolkit (which also requires Python for Scientific Computing Add On to work). You should check out some of Forecast Time Series examples (Your use case is similar to Forecast Internet Traffic data). The app also has links to Video Tutorials and several Tool Tips as well as option to see SPL powering various panels. As a bonus you have some unique Visualizations specifically for Predictions and Detecting Outliers. Try to feed several year of Data to train and fit the model.

| makeresults | eval message= "Happy Splunking!!!"


What is the query in which you are using predict?
What error are you getting from timechart?
If _time is only today's date then it means Splunk can't find a date in your data so it's using the current date or the file modification date. Check your timestamp settings.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...