Splunk Search

How to use predict command?

New Member

20/08/2016 580.22 566.57 13.65
21/08/2016 580.22 106.6 473.62
22/08/2016 580.22 80.88 499.34
23/08/2016 580.22 96.34 483.88
24/08/2016 580.22 566.57 13.65
25/08/2016 580.22 107.49 472.73
26/08/2016 580.22 112.1 468.12

I inserted raw date today in Splunk with the help of CSV file

I am getting time=10/05/2017 only which is of today's date.
Also i have a field name as Date which contains all the date of this month.
I am trying to predict USED
GB on the basis of my date.
But when i try to use predict command to predict USED_GB its not working for me. Timechart is giving me error.

Could any one please help me how can i use predict ?
I have also attached the glimpse of raw data in the form of csv with this question

Tags (3)
0 Karma


Try the following:

| eval _time=strptime(Date,"%d/%m/%Y")
| timechart span=1d max(USED_GB) as USED_GB
| predict USED_GB 

PS: If you insert the CSV data to Splunk with correct timestamp recognition, eval statement will not be required. You have only one row per day, however, I am ensuring the same using span=1d and max() aggregation function. Since the issue seems to be with timechart command and not predict, you might have to provide your timechart query and error detail, if the above does not solve the same.

There are several other factors for predict command to work as per your data like algorithm, holdback, correlation, confidence intervals, future timespan etc. Refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

Also you should get the Machine Learning Toolkit (which also requires Python for Scientific Computing Add On to work). You should check out some of Forecast Time Series examples (Your use case is similar to Forecast Internet Traffic data). The app also has links to Video Tutorials and several Tool Tips as well as option to see SPL powering various panels. As a bonus you have some unique Visualizations specifically for Predictions and Detecting Outliers. Try to feed several year of Data to train and fit the model.

| makeresults | eval message= "Happy Splunking!!!"


What is the query in which you are using predict?
What error are you getting from timechart?
If _time is only today's date then it means Splunk can't find a date in your data so it's using the current date or the file modification date. Check your timestamp settings.

If this reply helps you, an upvote would be appreciated.
0 Karma