predict per host

deangoris · ‎03-26-2019

There are already some similar questions here, but we're not getting to an answer so far.
We would like to predict when the Free Disk Space counter is below a certain value for each host in the index.
An example for one host can be written and alerted on as follows:

index=perfmon host=server1 instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" 
| timechart min(Value) as "Free Space" 
| predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 
| where p_free_space<=5 
| sort _time 
| head 1 | fields _time host

The map command should give us the possibility to do this for multiple hosts, but we're missing something:

index=perfmon (host=server1 OR host=server2) 
| dedup host 
| map [search index=perfmon host=$host$ instance="D:" sourcetype="Perfmon:sqlserverhost:logicaldisk_daily" counter="% Free Space" 
| timechart min(Value) as "Free Space" 
| predict "Free Space" AS p_free_space algorithm=LLP5 future_timespan=180 
| where p_free_space<=5 ]

Anybody who can tell what we're missing...?
Thanks!

grana_splunk · ‎03-26-2019

Hi,

Did you looked into MLTK new algorithm StateSpaceforecast which supports multivariate? Checkout the blog below for more information:https://www.splunk.com/blog/2019/03/20/what-s-new-in-the-splunk-machine-learning-toolkit-4-2.html

Also, we have now new alerts for Machine learning which can be used in your usecase. Checkout the documentation on statespace forecast here : https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#StateSpaceForecast

Thanks,

predict per host

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability