https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354971#M105013 <P>@matansocher, actually I did not get the question quite clearly. However, if your intent is to either include one addition 0 count row per day or remove 0 count for each day. For both the scenarios you can handle the same in SPL i.e. either use <CODE>append</CODE> or <CODE>appendpipe</CODE> with <CODE>gentimes</CODE> to add 0 count rows per day or <CODE>search count!=0</CODE> before calling the predict command.</P> <P>Can you add some sample data with the requirement?</P> Wed, 25 Apr 2018 02:08:54 GMT niketn 2018-04-25T02:08:54Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354966#M105008 <P>Hi</P> <P>I want to predict values of a field over time.<BR /> the result table of my search:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4811i51BBB79FCE0EE36E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>In the end of the search I use:</P> <PRE><CODE>| timechart span=24h sum(sloc) as SLOC | eval _time = strftime(_time, "%Y-%m-%d") | fillnull value=0 | predict SLOC </CODE></PRE> <P>the error I get:<BR /> External search command 'predict' returned error code 1.</P> <P>I am using splunk 6.5.7</P> <P>the results I would like to see is more days to come with the 'SLOC' predicted value.</P> Sun, 22 Apr 2018 08:07:13 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354966#M105008 matansocher 2018-04-22T08:07:13Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354967#M105009 <P>@matansocher, perform fieldformat on _time after the prediction command.</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level!=INFO | timechart span=24h sum(date_minute) as SLOC | predict SLOC | fieldformat _time=strftime(_time,"%Y/%m/%d") </CODE></PRE> <P>Or else use <CODE>span=1d</CODE> if you want to use daily data for prediction</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level!=INFO | timechart span=1d sum(date_minute) as SLOC | predict SLOC </CODE></PRE> Sun, 22 Apr 2018 11:19:35 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354967#M105009 niketn 2018-04-22T11:19:35Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354968#M105010 <P>To add on to this.. The predict command is very "unpredictable" and I typically stay away from using it. @matansocher didn't specify if his data is seasonal or non-seasonal so perhaps the LLP5 algorithm he's using may not be the best choice.. </P> <P>You may also want to consider using the MLTK for time series forecasting as its more flexible and allows you to control sample sizes and gives more feedback </P> Sun, 22 Apr 2018 16:12:20 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354968#M105010 skoelpin 2018-04-22T16:12:20Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354969#M105011 <P>@skoelpin... <CODE>Predict command is very "unpredictable"</CODE> LOL... true!!!</P> <P>@matansocher do read documentation as arguments to predict command in accordance to the type of data being predicted is quite important as stated by @skoelpin. I am just adding the documentation for <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict">Predict</A> Command and <A href="https://docs.splunk.com/Documentation/MLApp/latest/User/ForecastTimeSeries">Forecast Time Series Showcase Example</A> Documentation for <A href="https://splunkbase.splunk.com/app/2890/">Machine Learning Toolkit</A> App.</P> Mon, 23 Apr 2018 06:31:09 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354969#M105011 niketn 2018-04-23T06:31:09Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354970#M105012 <P>Thanks you sko and niketnilay for your help. I have managed to use the machine learning tool kit (Forecast Time Series in particular).<BR /> I have another question.<BR /> is there a way to tell the algorithm to "strive" one value to 0 in a specific day?<BR /> I will explain better. our project ends in some date and the SLOC field will then be zero, and I want to predict the value of the SLOC field based on the past, and with knowing that it will be 0 in a specific date.</P> Mon, 23 Apr 2018 08:13:29 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354970#M105012 matansocher 2018-04-23T08:13:29Z https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354971#M105013 <P>@matansocher, actually I did not get the question quite clearly. However, if your intent is to either include one addition 0 count row per day or remove 0 count for each day. For both the scenarios you can handle the same in SPL i.e. either use <CODE>append</CODE> or <CODE>appendpipe</CODE> with <CODE>gentimes</CODE> to add 0 count rows per day or <CODE>search count!=0</CODE> before calling the predict command.</P> <P>Can you add some sample data with the requirement?</P> Wed, 25 Apr 2018 02:08:54 GMT https://community.splunk.com/t5/Splunk-Search/predict-command-doesent-work/m-p/354971#M105013 niketn 2018-04-25T02:08:54Z