- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- predict function query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
at time i find the predict function predicts values over 100% based on historical data.
is there anything i can configure to ensure the predicted value does not go over 100%, ie cutoff at 100%, or set max value as 100% ?
basically want to limit the predict value not to go beyond a certain number
john.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jiaqya,
Check this out :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict
It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jiaqya,
Check this out :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Predict
It's got everything you can do with the predict command, I don't see any way to limit the upper bound to 100 but you could always use eval on the resulting field and make a condition saying if > 100 then make it 100.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks David, but it does not tell much about limiting the prediction value.
in my case , im trying to get prediction for max cpu, and it seems with 3 months of data, its predicting over 100% of cpu, which is not true, so anything over 100% i would like to eval it to 100.
is there a way to do it via predict function, else would it be ok to do it with eval..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey again @jiaqya, all available options for the predict commands are in the reference sheet. I went through it again and there is no max boundary that can be set which means the only way to avoid these weird over 100% predictions is to use predict followed by eval setting the maximum value. Let me know if you're not able to build the eval I'll help you out with it 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for helping David, i was having trouble evaluating the fields.
the field is maxCPU
after predict i get a field called prediction(maxCPU)
i was not able to eval this field due to the nature of function in it, due to brackets.
i was trying below, didnt work, see if you can help.
eval prediction(maxCPU)=if(prediction(maxCPU)>100,100,prediction(maxCPU))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using the eval as follows :
|eval prediction(maxCPU)=if('prediction(maxCPU)'>100,100,'prediction(maxCPU)')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks ,that worked...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
awesome 😉
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
