What do you mean by the above code? I'm not sure I understand why or where I would use this to solve the problem of hiding dashboard panels with no results found. ... View more

Hi DalJeanis, I've actually had to remove the base search from my dashboard, that was the only way that this could work for me. Thanks for your input on this! ... View more

Format for the csv file -> DateLogged 1 5/9/2016 2 5/9/2016 3 5/10/2016 4 5/10/2016 5 5/11/2016 Format from the summary index -> _time 1 2018-11-02 2 2018-07-22 3 2018-07-20 4 2018-07-13 5 2018-07-09 ... View more

Hey somesoni2, I'm trying to build a predictive model using RandomForest in Splunk. I'm having issues with the inputlookup subsearch, and am trying to change it to use lookup instead and join the DateLogged field from the csv with _time from the index summary and see if the model will work as expected and push the prediction into the future. Currently its not doing that when I run the apply step on the model., if you have any suggestions for me I'm glad to hear them! Thanks! Fit -> index=summary *avg_Total_Capacity* | rename avg_Total_Capacity AS Total_GB | rename avg_Used_GB AS Used_GB | append [| inputlookup ServerName_G | fields - Disk | convert timeformat="%m/%d/%Y" mktime(DateLogged) as _time | rename DiskFreeSpaceMB as Free_GB | eval Free_GB=(Free_GB/1024) | rename DiskSizeMB as Total_GB | eval Total_GB=(Free_GB/PercentFree)*100 | eval Used_GB=(Total_GB-Free_GB)] | sort - _time | timechart span=1d avg(Total_GB) AS Total_GB avg(Used_GB) AS Used_GB | eval Total_GB=round(Total_GB,2) | eval Used_GB=round(Used_GB,2) | reverse | streamstats window=60 current=f first(Used_GB) as Predict_UsedGB_Future | reverse | fit RandomForestRegressor "Predict_UsedGB_Future" from "_time" into "RFRCapacity_v2" | eval DesiredCapacity_70PercUsed=(Predict_UsedGB_Future/.7) | eval Space_To_Add_GB=(DesiredCapacity_70PercUsed-Total_GB) | eval Predicted_PercUsed=(Predict_UsedGB_Future/Total_GB)*100 Apply -> index=summary *avg_Total_Capacity* | rename avg_Total_Capacity AS Total_GB | rename avg_Used_GB AS Used_GB | append [| inputlookup ServerName_G | fields - Disk | convert timeformat="%m/%d/%Y" mktime(DateLogged) as _time | rename DiskFreeSpaceMB as Free_GB | eval Free_GB=(Free_GB/1024) | rename DiskSizeMB as Total_GB | eval Total_GB=(Free_GB/PercentFree)*100 | eval Used_GB=(Total_GB-Free_GB)] | sort - _time | apply "RFRCapacity_v2" | timechart span=1d avg(Predict_UsedGB_Future) as Predict_UsedGB_Future | eval residual = 'Used_GB' - 'predicted(Used_GB)' | eval baseline=0 | eval Predict_UsedGB_Future='Predict_UsedGB_Future' ... View more

Hi Vijeta, The above code isn't working for me. When I apply this to my search string it hides panels even if they have content. I've tried this with using the "done" tag, like you had specified, as well as using the "progress" tag, and still no luck. Please see my code below. Thanks! <panel depends="$panel_show$"> <table> <title>Top 5 Count of CPU Utilization &gt; 80% by Host</title> <search base="indexos"> <query>| where Percent_CPU_Load &gt; 80 | stats count by host | sort - count | head 5</query> <done> <condition match="'job.resultCount' &gt; 0"> <set token="panel_show">true</set> </condition> <condition> <unset token="panel_show"></unset> </condition> </done> </search> ... View more