topic Re: Predict by in Splunk Search

Predict by

Parameshwara — Fri, 15 Nov 2013 05:52:49 GMT

My search result:

_time                       Location    Total
01/01/13 12:00:00.000 AM    Location 1  12
02/01/13 12:00:00.000 AM    Location 1  15
03/01/13 12:00:00.000 AM    Location 1  10
04/01/13 12:00:00.000 AM    Location 1  19
05/01/13 12:00:00.000 AM    Location 1  15
01/01/13 12:00:00.000 AM    Location 2  2
02/01/13 12:00:00.000 AM    Location 2  2
03/01/13 12:00:00.000 AM    Location 2  3
04/01/13 12:00:00.000 AM    Location 2  5
05/01/13 12:00:00.000 AM    Location 2  2
01/01/13 12:00:00.000 AM    Location 3  35
02/01/13 12:00:00.000 AM    Location 3  35
03/01/13 12:00:00.000 AM    Location 3  39
04/01/13 12:00:00.000 AM    Location 3  25
05/01/13 12:00:00.000 AM    Location 3  30

Is it possible to use predict, for the Total field by Location?

Re: Predict by

mtmoore — Wed, 20 Nov 2013 13:08:51 GMT

I also want to know if this possible. Being able to predict on one piece of data only is very limiting..

Re: Predict by

HattrickNZ — Sun, 10 May 2015 22:22:22 GMT

I don't know but what I have come to conclude is that you can only do by 1 location at a time, so you have to filter out the others before doing your predict.

It probably isn't what you want but 1 prediction graph per location might be clearer to the end user, as with 3 predictions in one graph would be very unclear, unless you could turn different locations on/off as you wish.

Re: Predict by

gwobben — Thu, 17 Mar 2016 10:37:17 GMT

Sorry, you cannot do that. Predict has no "by" clause, like stats, which makes it impossible to make multiple predictions.

HOWEVER

If you really need to, and don't really care for performance, you could use the map command to do something like:

... your search resulting in a list of Locations ... | map [search location=$location$ | timechart something | predict Total]

The map command will loop all of your locations and execute predict for each of them. Then it will append the results of each run to the final results. Just remember this has quite the performance impact because you'll be starting a new search for each location.

As an alternative you might consider user the R app, which is currently only available on github: https://github.com/rfsp/r. This app will allow you to run R commands in Splunk, and R is able to make multiple predictions at a time.

====

EDIT

The predict function now takes multiple fields, starting of version 6.3.4! Just make a timechart by something and add:

| predict <fields you want to predict>

Re: Predict by

David — Wed, 15 Jun 2016 20:49:45 GMT

Providing a clearer example for gwobben's example above, as of 6.4 you can do:

... your search string | timechart sum(Total) by Location | rename "Location *" as Location* | predict Location1 Location2 Location3

Re: Predict by

akastulin — Tue, 29 Sep 2020 16:15:08 GMT

I think there is a better option. You can use subsearch in predict command that will dynamically generate the list of fields to predict. Using Splunk tutorial data, i.e counting events based on status code and predicting it:
index="tutorial" sourcetype=access_combined_wcookie | timechart count by status | predict [search index="tutorial" sourcetype=access_combined_wcookie | stats values(status) as status | eval status=mvjoin(status, ", ") | rename status as search]

subsearch
search index="tutorial" sourcetype=access_combined_wcookie | stats values(status) as status | eval status=mvjoin(status, ", ") | rename status as search

will generate list of fields ( 200, 4004, 500,..) that predict command will take an generate prediction from.
Just an idea....