How can I predict the number of events sent for ea...

davietch · ‎04-03-2018

Hi,

I am using the MachineLearning Toolkit in order to predict how many events each host are usually sending.
To do so, I selected the "Predict Numeric Fields" showcase and created the following command:

| tstats count where index=*  by host,_time span=1h
|eval date_wday=strftime(_time,"%w"), date_hday=strftime(_time,"%H")

This gives me the number of event per host for each hour. I also compute 2 fields: the weekday and the hour of the day.

But when I run the Linear Regression with "count" field to predict and the "host", "date_wday" and "date_hday" as used fields for predicting, the result is awful.
When I filter on just one host, the prediciting is working quite well but as soon as there are severals hosts names, the ML does not work.

Any idea how to create a model that take in account the name of the host? Maybe some preprocessing?

Thanks

jcoates · ‎04-03-2018

I expect that means that each host is a different context with different data and needs a different linear regression. If they were all the same then the model of one's past would predict future for all the others. Since your results show that isn't true...

davietch · ‎04-04-2018

Yes they all have a different behavior, but I can not create a model for my 20K Forwarders.... Can I? I bet there is a more clever solution..

jcoates · ‎04-04-2018

do groups behave similarly? Can you make a model for each group?

davietch · ‎04-05-2018

I do not have groups... They all behave differently

How can I predict the number of events sent for each host in the Splunk Machine Learning Toolkit?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!