topic Re: prediction in splnuk in Splunk Search

prediction in splnuk

splunkpoornima — Mon, 28 Sep 2020 12:51:28 GMT

hi all,

i am splunk 5.0 and i tried the query below with predict function as given in the document

source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction startswith=START endswith=Succeeded| timechart count(duration) by TaskAction|predict count(duration) as Durationf

but it throws me error as

command="predict", Too few data points: 0. Need at least 2

Thanks in Advance

poornima

Re: prediction in splnuk

martin_mueller — Fri, 23 Nov 2012 10:00:36 GMT

Look at the table produced by your timechart. There's no column "count(duration)", hence predict complains about too few data points.

Re: prediction in splnuk

Drainy — Fri, 23 Nov 2012 10:03:47 GMT

I've said this in a few questions, but please please read the docs. With that error the first thing you should do is read the docs;

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Predict

Nowhere does it say you can use stats commands, In this case you would rename you count and use;

| predict count as Durationf

Re: prediction in splnuk

splunkpoornima — Fri, 23 Nov 2012 10:18:20 GMT

i refered the document and then only i used this command...

predict [AS ]

|predict count(duration) as DurationF

Re: prediction in splnuk

Drainy — Fri, 23 Nov 2012 10:27:57 GMT

right, that isn't a predictable field, you'd need to do an AS rename to change it to something like count or dur_count to then run predict on

Re: prediction in splnuk

splunkpoornima — Mon, 28 Sep 2020 12:51:31 GMT

hi martin,

i changed the query but this time i got the different error
as u suggested,

source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction_1 startswith=START endswith=Succeeded|Table _time TaskAction_1 duration|predict duration AS dur_count

it shows error as

External search command 'predict' returned error code 1

Re: prediction in splnuk

martin_mueller — Fri, 23 Nov 2012 10:37:32 GMT

I suggested you look at the result of the timechart to see what columns there are. Only those columns are put into the predict, hence only those columns are available to be predicted.

Re: prediction in splnuk

martin_mueller — Fri, 23 Nov 2012 10:40:12 GMT

Renaming the count(duration) shouldn't help because it's split up with a by clause.

Re: prediction in splnuk

Drainy — Fri, 23 Nov 2012 10:49:56 GMT

Right, and it won't work because of the split by

Re: prediction in splnuk

splunkpoornima — Fri, 23 Nov 2012 11:05:16 GMT

Hi martin ,

below is the table produced by the timechart

please verify

Re: prediction in splnuk

martin_mueller — Fri, 23 Nov 2012 11:06:46 GMT

Yup, that's the table.

...in case you wanted more than a verification of that being the table, look for the column you wanted to predict called "count(duration)" - it doesn't exist, hence cannot be predicted.

Re: prediction in splnuk

pachurrito62 — Thu, 31 Jul 2014 19:26:00 GMT

how do i predict all fields in that table without specifying all of them? Is there something like | predict * ?

Re: prediction in splnuk

martin_mueller — Thu, 31 Jul 2014 19:48:09 GMT

As noted in the docs linked by Drainy, predict takes a field name - no wildcards.

Re: prediction in splnuk

laurie_gellatly — Thu, 08 Dec 2016 02:52:50 GMT

I've extended predict to allow it to take '*' as a wildcard
Maybe you can too?

...Laurie:{)

Re: prediction in splnuk

martin_mueller — Sat, 10 Dec 2016 14:43:09 GMT

Feel free to publish your extended predict as an app on splunkbase.

Re: prediction in splnuk

VatsalJagani — Sun, 27 May 2018 06:06:45 GMT

Hey @laurie_gellatly,
Can you please share your idea about how you extend predict to use wildcard or dynamic column name with predict function ?

Re: prediction in splnuk

laurie_gellatly — Wed, 30 May 2018 22:26:44 GMT

Hi @VatsalJagani,
I need to check I'm allowed to post the changes I made to predict.py
That's why I haven't already done it 🙂

Cheers ...Laurie:{)