Solved: Predict stops working when eval used - Splunk Community

Splunk Search

Hi,

Looking to start using Splunk to do trending and forecasting (predict).

index=os  sourcetype=cpu   host=ukdc1-xxx-xxx* earliest=-1w | eval Total=(pctSystem+pctUser) | timechart avg(Total)  span=1h | predict Total future_timespan=168 algorithm=LL

Getting the old 'Too few data points' error.

This works, but i need the two cpu fields added together to get the total amount of CPU busy time...

index=os  sourcetype=cpu   host=ukdc1-xxx-xxx* earliest=-1w | timechart avg(pctSystem) span=1h AS AVG | predict AVG future_timespan=168 algorithm=LL

1 Solution

Solution

I think you have a typo in your failing line. It looks like you mean:

... | timechart avg(Total) span=1h AS Total | ...

View solution in original post

Solution

I think you have a typo in your failing line. It looks like you mean:

... | timechart avg(Total) span=1h AS Total | ...

That did it!

The lower95 line is dropping to -25, can this be contained as -25% CPU utilization isn't really possible?

Cheers

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...