Splunk Search
Highlighted

predict command doesent work

Contributor

Hi

I want to predict values of a field over time.
the result table of my search:

alt text

In the end of the search I use:

| timechart span=24h sum(sloc) as SLOC 
| eval _time = strftime(_time, "%Y-%m-%d") 
| fillnull value=0 
| predict SLOC 

the error I get:
External search command 'predict' returned error code 1.

I am using splunk 6.5.7

the results I would like to see is more days to come with the 'SLOC' predicted value.

0 Karma
Highlighted

Re: predict command doesent work

Legend

@matansocher, perform fieldformat on _time after the prediction command.

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=24h sum(date_minute) as SLOC
| predict SLOC
| fieldformat _time=strftime(_time,"%Y/%m/%d")

Or else use span=1d if you want to use daily data for prediction

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d sum(date_minute) as SLOC
| predict SLOC



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: predict command doesent work

SplunkTrust
SplunkTrust

To add on to this.. The predict command is very "unpredictable" and I typically stay away from using it. @matansocher didn't specify if his data is seasonal or non-seasonal so perhaps the LLP5 algorithm he's using may not be the best choice..

You may also want to consider using the MLTK for time series forecasting as its more flexible and allows you to control sample sizes and gives more feedback

Highlighted

Re: predict command doesent work

Legend

@skoelpin... Predict command is very "unpredictable" LOL... true!!!

@matansocher do read documentation as arguments to predict command in accordance to the type of data being predicted is quite important as stated by @skoelpin. I am just adding the documentation for Predict Command and Forecast Time Series Showcase Example Documentation for Machine Learning Toolkit App.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: predict command doesent work

Contributor

Thanks you sko and niketnilay for your help. I have managed to use the machine learning tool kit (Forecast Time Series in particular).
I have another question.
is there a way to tell the algorithm to "strive" one value to 0 in a specific day?
I will explain better. our project ends in some date and the SLOC field will then be zero, and I want to predict the value of the SLOC field based on the past, and with knowing that it will be 0 in a specific date.

0 Karma
Highlighted

Re: predict command doesent work

Legend

@matansocher, actually I did not get the question quite clearly. However, if your intent is to either include one addition 0 count row per day or remove 0 count for each day. For both the scenarios you can handle the same in SPL i.e. either use append or appendpipe with gentimes to add 0 count rows per day or search count!=0 before calling the predict command.

Can you add some sample data with the requirement?




| eval message="Happy Splunking!!!"


0 Karma