Splunk Search

predict function query

jiaqya
Builder

at time i find the predict function predicts values over 100% based on historical data.
is there anything i can configure to ensure the predicted value does not go over 100%, ie cutoff at 100%, or set max value as 100% ?

basically want to limit the predict value not to go beyond a certain number

john.

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

hi @jiaqya,

Check this out :

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict

It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.

Cheers,
David

0 Karma

jiaqya
Builder

Thanks David, but it does not tell much about limiting the prediction value.

in my case , im trying to get prediction for max cpu, and it seems with 3 months of data, its predicting over 100% of cpu, which is not true, so anything over 100% i would like to eval it to 100.

is there a way to do it via predict function, else would it be ok to do it with eval..

0 Karma

DavidHourani
Super Champion

Hey again @jiaqya, all available options for the predict commands are in the reference sheet. I went through it again and there is no max boundary that can be set which means the only way to avoid these weird over 100% predictions is to use predict followed by eval setting the maximum value. Let me know if you're not able to build the eval I'll help you out with it 🙂

0 Karma

jiaqya
Builder

Thanks for helping David, i was having trouble evaluating the fields.

the field is maxCPU

after predict i get a field called prediction(maxCPU)

i was not able to eval this field due to the nature of function in it, due to brackets.

i was trying below, didnt work, see if you can help.

eval prediction(maxCPU)=if(prediction(maxCPU)>100,100,prediction(maxCPU))

0 Karma

DavidHourani
Super Champion

Try using the eval as follows :

|eval prediction(maxCPU)=if('prediction(maxCPU)'>100,100,'prediction(maxCPU)')

0 Karma

jiaqya
Builder

Thanks ,that worked...

DavidHourani
Super Champion

awesome 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...