Splunk Search

Using the predict command on disk usage, how do I return the date as a single value when the field prediction(Used Space) = 1 or less?

Norling80
Path Finder

Hi.

I'm using the predict command to determine when my machine will run out of disk based on the historical usage, and it works really well. However, instead of showing it as a graph, I want to display the date in time in a statistics view when the field prediction(Used Space) = 1 or less

The predict command automatically produce the fields lower95/Prediction/upper95 by default.

Here is the search:

index=main host="localhost" instance="G:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | timechart min(Value) as "Used Space" | predict "Used Space" algorithm=LLP5 future_timespan=180

Any ideas how to get this result?

alt text

Tags (3)

badarsebard
Communicator

I would use the where command to set a criteria for the predicted value and then sort, head, and fields to get the value you are looking for. So something like this:

index=main host="localhost" instance="G:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | timechart min(Value) as "Used Space" | predict "Used Space" AS p_used_space algorithm=LLP5 future_timespan=180 | where p_used_space<=1 | sort _time | head 1 | fields _time

This will filter out the rows not containing the desired prediction value (in this case <=1) then sort on time, take the first event (which is now chronologically first from the sort command) and display only the _time field. Hope this helps. I also love this use of the predict command, very clever. Will have to use this in my future endeavors. Thanks!

hwakonwalk
Path Finder

Hi,
I have a similar requirement and the query works fine, I want this time value displayed in a single value panel. Is there any way out?

0 Karma

Norling80
Path Finder

Great, spot on, thanks... but if i want to do this for multiple hosts in the same search adding timechart min(Value) as "Used Space" by host does not really cut it, any ides how to do it on multiple host level and present it in a table view with host, p_used_space as columns.

0 Karma

badarsebard
Communicator

So doing a split-by clause in timechart will create multiple columns(host) for each row(time bucket) with the value being the stats function in your timechart command. You'll then need to perform the predict command for each host series since predict isn't capable of a split-by or taking in multiple fields. What I would recommend is adding in the split-by host in timechart and then piping the timechart command into a foreach command whose subsearch is the "|predict | where | sort | head | fields" pipeline.

Foreach uses a wildcard list of fields (host* matches host1, host2, host3) so you may have to rename your hosts prior to piping into the foreach. It's clunky but a comma separated rename could do this, but I'm not sure how many hosts you're interested in, so it may not be practical for more than a few.

0 Karma

Norling80
Path Finder

thanks for the update, it´s +100 hosts, do you still think it´s doable or will it just be a renaming mess? BTW how would the search look like if we would run it on let´s say three hosts with the hostnames host1, host2 and host3?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...