I want to predict values of a field over time.
the result table of my search:
In the end of the search I use:
| timechart span=24h sum(sloc) as SLOC | eval _time = strftime(_time, "%Y-%m-%d") | fillnull value=0 | predict SLOC
the error I get:
External search command 'predict' returned error code 1.
I am using splunk 6.5.7
the results I would like to see is more days to come with the 'SLOC' predicted value.
@matansocher, perform fieldformat on _time after the prediction command.
index=_internal sourcetype=splunkd log_level!=INFO | timechart span=24h sum(date_minute) as SLOC | predict SLOC | fieldformat _time=strftime(_time,"%Y/%m/%d")
Or else use
span=1d if you want to use daily data for prediction
index=_internal sourcetype=splunkd log_level!=INFO | timechart span=1d sum(date_minute) as SLOC | predict SLOC
To add on to this.. The predict command is very "unpredictable" and I typically stay away from using it. @matansocher didn't specify if his data is seasonal or non-seasonal so perhaps the LLP5 algorithm he's using may not be the best choice..
You may also want to consider using the MLTK for time series forecasting as its more flexible and allows you to control sample sizes and gives more feedback
Predict command is very "unpredictable" LOL... true!!!
@matansocher do read documentation as arguments to predict command in accordance to the type of data being predicted is quite important as stated by @skoelpin. I am just adding the documentation for Predict Command and Forecast Time Series Showcase Example Documentation for Machine Learning Toolkit App.
Thanks you sko and niketnilay for your help. I have managed to use the machine learning tool kit (Forecast Time Series in particular).
I have another question.
is there a way to tell the algorithm to "strive" one value to 0 in a specific day?
I will explain better. our project ends in some date and the SLOC field will then be zero, and I want to predict the value of the SLOC field based on the past, and with knowing that it will be 0 in a specific date.
@matansocher, actually I did not get the question quite clearly. However, if your intent is to either include one addition 0 count row per day or remove 0 count for each day. For both the scenarios you can handle the same in SPL i.e. either use
gentimes to add 0 count rows per day or
search count!=0 before calling the predict command.
Can you add some sample data with the requirement?