Splunk Search

How to write a search to get a predicted value based on a date and a number of data points?

peterkn
Explorer

I have looked at the predict cause and the "x11", however, I'm still struggling to find the right searcg to get the data I want.

Say I have 2 columns
Report_Date Population
11/01/2015 122
22/02/2015 125
09/04/2015 141
14/05/2015 155

I would like to use the predict command to get the population at X date (say 01/01/2016). What should my search be?

Any help is greatly appreciated.

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Basically, you just use | predict Population for that. Keep in mind that in order to use the command, you need a _time field, so you will have to either change your search before that to use that field, or create it from Report_Date with strptime.

View solution in original post

0 Karma

jeffland
SplunkTrust
SplunkTrust

Basically, you just use | predict Population for that. Keep in mind that in order to use the command, you need a _time field, so you will have to either change your search before that to use that field, or create it from Report_Date with strptime.

0 Karma

peterkn
Explorer

On the same issue, I did use your approach and it works, so thanks.

How do I use Predict for more than 1 column.

Say I have another column called "Number of jobs available" or "Unemployment Rate", how do I predict these columns as well? Do I have to manually write the predict clause for each of the column? As I have about 10 columns I need to use the Predict function for.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Unfortunately, you'll have to write your search like

... | predict field_1 | predict field_2

because you can't use predict inside of foreach.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...