Splunk Search

predict command doesent work

matansocher
Contributor

Hi

I want to predict values of a field over time.
the result table of my search:

alt text

In the end of the search I use:

| timechart span=24h sum(sloc) as SLOC 
| eval _time = strftime(_time, "%Y-%m-%d") 
| fillnull value=0 
| predict SLOC 

the error I get:
External search command 'predict' returned error code 1.

I am using splunk 6.5.7

the results I would like to see is more days to come with the 'SLOC' predicted value.

0 Karma
1 Solution

niketn
Legend

@matansocher, perform fieldformat on _time after the prediction command.

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=24h sum(date_minute) as SLOC
| predict SLOC
| fieldformat _time=strftime(_time,"%Y/%m/%d")

Or else use span=1d if you want to use daily data for prediction

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d sum(date_minute) as SLOC
| predict SLOC
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@matansocher, perform fieldformat on _time after the prediction command.

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=24h sum(date_minute) as SLOC
| predict SLOC
| fieldformat _time=strftime(_time,"%Y/%m/%d")

Or else use span=1d if you want to use daily data for prediction

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d sum(date_minute) as SLOC
| predict SLOC
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

To add on to this.. The predict command is very "unpredictable" and I typically stay away from using it. @matansocher didn't specify if his data is seasonal or non-seasonal so perhaps the LLP5 algorithm he's using may not be the best choice..

You may also want to consider using the MLTK for time series forecasting as its more flexible and allows you to control sample sizes and gives more feedback

niketn
Legend

@skoelpin... Predict command is very "unpredictable" LOL... true!!!

@matansocher do read documentation as arguments to predict command in accordance to the type of data being predicted is quite important as stated by @skoelpin. I am just adding the documentation for Predict Command and Forecast Time Series Showcase Example Documentation for Machine Learning Toolkit App.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

matansocher
Contributor

Thanks you sko and niketnilay for your help. I have managed to use the machine learning tool kit (Forecast Time Series in particular).
I have another question.
is there a way to tell the algorithm to "strive" one value to 0 in a specific day?
I will explain better. our project ends in some date and the SLOC field will then be zero, and I want to predict the value of the SLOC field based on the past, and with knowing that it will be 0 in a specific date.

0 Karma

niketn
Legend

@matansocher, actually I did not get the question quite clearly. However, if your intent is to either include one addition 0 count row per day or remove 0 count for each day. For both the scenarios you can handle the same in SPL i.e. either use append or appendpipe with gentimes to add 0 count rows per day or search count!=0 before calling the predict command.

Can you add some sample data with the requirement?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...