Splunk Search

predict function query

jiaqya
Builder

at time i find the predict function predicts values over 100% based on historical data.
is there anything i can configure to ensure the predicted value does not go over 100%, ie cutoff at 100%, or set max value as 100% ?

basically want to limit the predict value not to go beyond a certain number

john.

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

0 Karma

jiaqya
Builder

Thanks David, but it does not tell much about limiting the prediction value.

in my case , im trying to get prediction for max cpu, and it seems with 3 months of data, its predicting over 100% of cpu, which is not true, so anything over 100% i would like to eval it to 100.

is there a way to do it via predict function, else would it be ok to do it with eval..

0 Karma

DavidHourani
Super Champion

Hey again @jiaqya, all available options for the predict commands are in the reference sheet. I went through it again and there is no max boundary that can be set which means the only way to avoid these weird over 100% predictions is to use predict followed by eval setting the maximum value. Let me know if you're not able to build the eval I'll help you out with it 🙂

0 Karma

jiaqya
Builder

Thanks for helping David, i was having trouble evaluating the fields.

the field is maxCPU

after predict i get a field called prediction(maxCPU)

i was not able to eval this field due to the nature of function in it, due to brackets.

i was trying below, didnt work, see if you can help.

eval prediction(maxCPU)=if(prediction(maxCPU)>100,100,prediction(maxCPU))

0 Karma

DavidHourani
Super Champion

Try using the eval as follows :

|eval prediction(maxCPU)=if('prediction(maxCPU)'>100,100,'prediction(maxCPU)')

0 Karma

jiaqya
Builder

Thanks ,that worked...

DavidHourani
Super Champion

awesome 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...