Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Run predict command for multiple disk in same query

RSS_STT
Explorer
2 weeks ago

I have multiple disk like C, D & E on server and want to do the prediction for multiple disk in same query.

index=main host="localhost"  instance="C:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | timechart min(Value) as "Used Space" | predict "Used Space" algorithm=LLP5 future_timespan=180

Could anyone help with modified query.

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @RSS_STT 

The predict command can take a number of fields, such as in this example below, allowing you to run the predict against all your drives.

| makeresults count=5
| streamstats count
| eval instance = case(count%3==1, "C:", count%3==2, "D:", true(), "E:")
| eval Value = case(instance=="C:", 90 - count*5, instance=="D:", 80 - count*4, instance=="E:", 70 - count*3)
| append [| makeresults count=5
| eval _time = relative_time(now(), "-1h")
| streamstats count
| eval instance = case(count%3==1, "C:", count%3==2, "D:", true(), "E:")
| eval Value = case(instance=="C:", 880 - count*5, instance=="D:", 82 - count*4, instance=="E:", 70 - count*3)]
| fields _time, instance, Value
| timechart min(Value) as "FreeSpace" by instance
| fillnull "C:" "D:" "E:"
| predict "C:" "D:" "E:" algorithm=LLP5 future_timespan=180

 

livehybrid_0-1746437121904.png

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Assuming instance contains the disk you want to predict, you could try something like this

index=main host="localhost"  instance="C:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" 
| eval instance=substr(instance,0,1)
| timechart min(value) as "Used Space" by instance
| appendpipe
    [| fields _time C
    | where isnotnull(C)
    | predict C algorithm=LLP5 future_timespan=180]
| appendpipe
    [| fields _time D
    | where isnotnull(D)
    | predict D algorithm=LLP5 future_timespan=180]
| appendpipe
    [| fields _time E
    | where isnotnull(E)
    | predict E algorithm=LLP5 future_timespan=180]
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...