Solved: How to write a search to get a predicted value bas...

peterkn · ‎01-18-2016

I have looked at the predict cause and the "x11", however, I'm still struggling to find the right searcg to get the data I want.

Say I have 2 columns
Report_Date Population
11/01/2015 122
22/02/2015 125
09/04/2015 141
14/05/2015 155

I would like to use the predict command to get the population at X date (say 01/01/2016). What should my search be?

Any help is greatly appreciated.

jeffland · ‎01-19-2016

Basically, you just use | predict Population for that. Keep in mind that in order to use the command, you need a _time field, so you will have to either change your search before that to use that field, or create it from Report_Date with strptime.

View solution in original post

jeffland · ‎01-19-2016

Basically, you just use | predict Population for that. Keep in mind that in order to use the command, you need a _time field, so you will have to either change your search before that to use that field, or create it from Report_Date with strptime.

peterkn · ‎01-19-2016

On the same issue, I did use your approach and it works, so thanks.

How do I use Predict for more than 1 column.

Say I have another column called "Number of jobs available" or "Unemployment Rate", how do I predict these columns as well? Do I have to manually write the predict clause for each of the column? As I have about 10 columns I need to use the Predict function for.

jeffland · ‎01-20-2016

Unfortunately, you'll have to write your search like

... | predict field_1 | predict field_2

because you can't use predict inside of foreach.

How to write a search to get a predicted value based on a date and a number of data points?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...