- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Use predict with dynamic values in MLTK
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey!
So I am trying to hand the Kalman filter in Splunk's MLTK a dynamic value for the period which I first find through Auto correlation Function in the sub search and is named corr_lag:
index = cisco_prod | timechart span=1h count as logins_hour |eval corr_lag= [`ACF_Correlation_Lag`]| predict "logins_hour" as prediction algorithm=LLP holdback=200 future_timespan=368 period=corr_lag upper95=upper95 lower95=lower95 | `forecastviz(368, 200, "logins_hour", 95)`
the sub search looks as follows:
search index = cisco_prod | timechart span=1h count as logins_hour | fit ACF logins_hour k=200 fft=true conf_interval=95 as corr | top limit=2 acf(corr),Lag | stats max(Lag) as corr_lag | return $corr_lag
Somehow I must do something wrong because I always get the following error:
command="predict", Invalid period : 'corr_lag'
the subsearch actually works fine and gives me the right period back.
Can somebody help me find the right way to do this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Deniz_Oe,
You have a syntax issue with the predict command. The period predict command option requires a number to be present after it, it will not accept values from another field per the documentation: https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Predict
period
Syntax: period=<num>
Description: Specifies the length of the time period, or recurring cycle, in the time series data. The number must be at least 2. The LLP and LLP5 algorithms attempt to compute the length of time period if no value is specified. If you specify the span argument with the timechart command, the unit that you specify for span is the unit used for period. For example, if your search is ...|timechart span=1d foo2| predict foo2 period=3. The spans are 1 day and the period for the predict is 3 days. Otherwise, the unit for the time period is a data point. For example, if there are a thousand events, then each event is a unit. If you specify period=7, that means the data recycles after every 7 data points, or events.
Default: None
What you are trying to do still can be accomplished, but you need to use the map command to execute your query so it passes a token of the numeric value from your macro to execute your query:
index = cisco_prod
| timechart span=1h count as logins_hour
| fit ACF logins_hour k=200 fft=true conf_interval=95 as corr
| top limit=2 acf(corr),Lag
| stats max(Lag) as corr_lag
| map search="index = cisco_prod | timechart span=1h count as logins_hour | predict \"logins_hour\" as prediction algorithm=LLP holdback=200 future_timespan=368 period=$corr_lag$ upper95=upper95 lower95=lower95"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Deniz_Oe,
You have a syntax issue with the predict command. The period predict command option requires a number to be present after it, it will not accept values from another field per the documentation: https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Predict
period
Syntax: period=<num>
Description: Specifies the length of the time period, or recurring cycle, in the time series data. The number must be at least 2. The LLP and LLP5 algorithms attempt to compute the length of time period if no value is specified. If you specify the span argument with the timechart command, the unit that you specify for span is the unit used for period. For example, if your search is ...|timechart span=1d foo2| predict foo2 period=3. The spans are 1 day and the period for the predict is 3 days. Otherwise, the unit for the time period is a data point. For example, if there are a thousand events, then each event is a unit. If you specify period=7, that means the data recycles after every 7 data points, or events.
Default: None
What you are trying to do still can be accomplished, but you need to use the map command to execute your query so it passes a token of the numeric value from your macro to execute your query:
index = cisco_prod
| timechart span=1h count as logins_hour
| fit ACF logins_hour k=200 fft=true conf_interval=95 as corr
| top limit=2 acf(corr),Lag
| stats max(Lag) as corr_lag
| map search="index = cisco_prod | timechart span=1h count as logins_hour | predict \"logins_hour\" as prediction algorithm=LLP holdback=200 future_timespan=368 period=$corr_lag$ upper95=upper95 lower95=lower95"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @dmarling ,
thanks for the quick answer! However, if I now run the query
index = cisco_prod
| timechart span=1h count as logins_hour
| fit ACF logins_hour k=200 fft=true conf_interval=95 as corr
| top limit=2 acf(corr),Lag
| stats max(Lag) as corr_lag
| map search="index = cisco_prod | timechart span=1h count as logins_hour | predict \"logins_hour\" as prediction algorithm=LLP holdback=200 future_timespan=368 period=$corr_lag$ upper95=upper95 lower95=lower95"
It returns no results. I have not worked yet with map search, so I don't know if I have to do anything additional for it to work.
Would be grateful for further advice, thanks!
EDIT: adding a "search=" into the map search did the trick, thanks!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
