Solved: Predict: Can I show only the predicted events in t...

mkelderm · ‎11-29-2013

I like the predict clause, but how can I show only the prediction of the 'future'. For example:

index=prd_stats earliest=-5d sourcetype=appman:DatabaseQueryMonitor resource=Counts@GMPROD_MONDRIAAN attribute=AANTAL |  timechart useother=f usenull=f span=15m limit=0 avg(value) as aantal | predict aantal lower99=low upper99=high algorithm=LLP future_timespan=40

This query shows the prediction for the comming 10 hours (span*40). But I only want to see the prediction of this 10 hours.

guilmxm · ‎12-23-2013

Hi,

You can do it easily, append a "where" condition after the predict command to exclude non predicted data.

In you example, append:

| where isnull(aantal)

View solution in original post

guilmxm · ‎12-23-2013

Hi,

You can do it easily, append a "where" condition after the predict command to exclude non predicted data.

In you example, append:

| where isnull(aantal)

mkelderm · ‎12-23-2013

so simple ! Thanks!

Predict: Can I show only the predicted events in the future?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?