topic Re: Can you use the predict command with multiple fields without having to type them all? in Splunk Search

Can you use the predict command with multiple fields without having to type them all?

splunkiesplunkh — Mon, 24 Sep 2018 20:11:13 GMT

Hi,

I am looking to use predict command with multiple fields without typing all their names.
For example I know it can be used liked this:

Make results |Predict field1 field2 field3

But what I need is..

Make results | timechart Amount by Name

This makes columns like

_time A1 A2 A3 A4 ......

I don't want to type all the field names, I just want to write something like

|predict A*

Re: Can you use the predict command with multiple fields without having to type them all?

lumnious — Sat, 06 Oct 2018 18:13:34 GMT

Hi splunkiesplunkhead

I don't really think you can use predict like that, it expects explicit declaration of all the fields.

When you call | predict A*
You get the error

command="predict", Unknown field: A*
I'll actually be following this thread in case someone offers a positive solution for this.

Re: Can you use the predict command with multiple fields without having to type them all?

woodcock — Sun, 07 Oct 2018 20:20:08 GMT

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

Re: Can you use the predict command with multiple fields without having to type them all?

mstjohn_splunk — Fri, 12 Oct 2018 19:13:03 GMT

hi @splunkiessplunkhead (woah, what a name!)

Did one of the answer's below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

Re: Can you use the predict command with multiple fields without having to type them all?

splunkiesplunkh — Fri, 19 Oct 2018 18:32:10 GMT

Hi, I am trying to implement this but getting errors, may be doing something wrong. Will try and fix it. If it does work I will accept the answer.
Thanks

Re: Can you use the predict command with multiple fields without having to type them all?

sarauppal — Tue, 23 Oct 2018 22:32:23 GMT

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

Re: Can you use the predict command with multiple fields without having to type them all?

sarauppal — Tue, 23 Oct 2018 22:33:06 GMT

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

Re: Can you use the predict command with multiple fields without having to type them all?

woodcock — Tue, 23 Oct 2018 22:52:29 GMT

To be fair, that is a different question and you should Accept this answer and ask a new one.

Re: Can you use the predict command with multiple fields without having to type them all?

splunkiesplunkh — Wed, 24 Oct 2018 18:23:22 GMT

Thanks @woodcock.

Re: Can you use the predict command with multiple fields without having to type them all?

splunkiesplunkh — Wed, 24 Oct 2018 18:24:39 GMT

made it work!
thanks

Re: Can you use the predict command with multiple fields without having to type them all?

morawi5 — Wed, 26 Aug 2020 20:05:20 GMT

Can you explain this a bit better?

I'm trying to run that query you have, but its just not working?