I have a search using the predict function
index=core eventtype="Device" DeviceName=Device1 earliest=-10d@d latest=+10d@d | timechart span=d max(ThrputMbps) as ThrputMbps | predict ThrputMbps as predict1 future_timespan=10 holdback=1 | eval LicLimit=410 | fields - upper* lower* | eval lic_hit=if(predic1>=LicLimit,0,500)
What I want to do is somehow capture where the licenc is being hit.
I was thinking of doing something like:
eval lic_hit=if(predic1>=LicLimit,0,500)
-- 0 until it is hit and 500 there after
but I cant get this to work. I'm thinking I need a where but I am not sure of the syntax to do this, something like
where predict is >= to Liclimit, create a field called lic_hit from that point, else the field called lic_hit will be zero
PIC:
Hi,
Can you please validate is the predic1 is numeric? You can check it by command isnum.
Thanks!!
Yes I thinkit is, if my understaning of the if function is right?
I added this to my search
...| | eval test=if(isnum(predict1),"T","F")
And this is a sample of the out put I get.
_time ThrputMbps Limit lic_hit predict1 test
2015-05-05 367.79 410 500 F
2015-05-06 334.07 410 500 F
2015-05-07 377.12 410 500 300.35 T
2015-05-08 328.83 410 500 375.072319312 T
2015-05-09 312.21 410 500 333.495 T
2015-05-10
..| eval lic_hit2=if(min(predict1)<max(hLicLimit),4502,5002)
this works but is not what I want, but maybe this expains how the if function works.
what I want is if the value of predict1
is < LicLimit
I want lic_hit
to have a zero value for that row, else if the value of predict1
is => LicLimit
I want lic_hit
to have a zero value for that row
E.G.
_time ThrputMbps Limit lic_hit predict1
2015-05-05 367.79 290 0 289
2015-05-06 334.07 290 500 290
2015-05-07 377.12 290 500 300.35
2015-05-08 290 500 375.072319312
2015-05-09 290 500 333.495
Use,
|eval lic_hit = if(isnum(predict1),if(predict1<LicLimit,0,500),0)
Above command will make sure that if predicted value is not number it will assign 0 to lic_hit.