topic Re: How can we use predict command with tstats? in Splunk Search

How can we use predict command with tstats?

att35 — Tue, 17 Aug 2021 19:31:54 GMT

Hi,

I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output?

| tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | timechart span=1h count by dataset.field usenull=f useother=f

If I try to do following,

| predict dataset.field

search failed with this error.

command="predict", Unknown field: dataset.field

What is the correct way to do this?

UPDATE:

Turns out, | predict "xyz" works, but this would mean it is working just for that one value of the field.

Thanks

Re: How can we use predict command with tstats?

richgalloway — Tue, 17 Aug 2021 20:39:26 GMT

Have you tried renaming the field?

| tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | rename dataset.field as field | timechart span=1h count by field usenull=f useother=f | predict field

Re: How can we use predict command with tstats?

att35 — Wed, 18 Aug 2021 02:09:25 GMT

Hi @richgalloway ,

Tried that but now it just gives same error message for field.

command="predict", Unknown field: field

Re: How can we use predict command with tstats?

ITWhisperer — Wed, 18 Aug 2021 06:41:06 GMT

timechart is using dataset.field for values of field names in the y axis and doesn't exist any more - try predict count

Re: How can we use predict command with tstats?

att35 — Wed, 18 Aug 2021 12:30:50 GMT

@ITWhisperer

Same result.

command="predict", Unknown field: count

With timechart everything works fine, it plots using dataset.field or even with "field" after rename. But predict doesn't seem to be taking any option as input. Only way predict works here is if I use direct value of the field.

| predict value