https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175153#M50262 <P>further comment on EDIT3 <BR /> maybe best to have holdback=1 on both predict functions so the graph lines up </P> Fri, 12 Jun 2015 01:49:35 GMT HattrickNZ 2015-06-12T01:49:35Z https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175149#M50258 <P>I have the follwoing search that does prediction, and what I want to do is add another column to this graph, in this case it is test=120000. This work as I would expect.</P> <P><CODE>... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=120000</CODE></P> <P>However I would like to get it to work using a field that is already in the dataset for example:</P> <P><CODE>... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=field2</CODE><BR /> How do I do this?</P> <P>I cannot get it to work, nothing shows up. I have even tried <CODE>eval test=max(field2)</CODE> but I am not sure if this can be done or is it my lack of understanding? I do not think I can place it as a parameter to <CODE>predict</CODE> as this will break my predict function. </P> <P><STRONG>EDIT1</STRONG> Alternative method but same INCORRECT RESULT</P> <P>I can actually put it as a parameter to the timechart, however it does not show any values for future dates which is what I am trying to achieve using the <CODE>eval</CODE> method.</P> <P><CODE>... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 max(field2) as f2 | predict f1 as predict1 future_timespan=10 holdback=2</CODE></P> <P><STRONG>EDIT2</STRONG> Alternative method but same INCORRECT RESULT<BR /> Another way to do it, in using <CODE>appendcols</CODE>, but it produces the same as the above 2 methods: </P> <P><CODE>... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | timechart max(field2) as f2 ]</CODE></P> <P>here is a pic of what I am talking about: (I want the yellow line to continue for the whole timespan)</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/336i26EE9E2443A7F8DF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><STRONG>EDIT3</STRONG> Alternative method but alomost CORRECT RESULT sogetting better </P> <P>now this at least looks like I am getting somewhere.<BR /> I have to do an <CODE>appendcols</CODE> of a new <CODE>predict</CODE> function and then drop the <CODE>upper*</CODE> and <CODE>lower*</CODE> fields to get what I want.</P> <P>The downside to this is that you lose interactivity with the graph, which I don't like, but it is almost acceptable.</P> <P><CODE>... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | | timechart max(field2) as f2 | predict f2 as f2 future_timespan=10] | fields - upper* lower*</CODE></P> <P>this is a pic of what I have now</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/337i46ECD26FBFE83A27/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 08 May 2015 01:56:54 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175149#M50258 HattrickNZ 2015-05-08T01:56:54Z https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175150#M50259 <P>my EDIT3 answer is the best I can do. </P> <P>But surely there is a better way where the interactivity is not lost, I will await someone clever <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 11 May 2015 22:33:58 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175150#M50259 HattrickNZ 2015-05-11T22:33:58Z https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175151#M50260 <P>put <CODE>holdback=1</CODE> in both <CODE>predict</CODE> functions so they line up.</P> Mon, 11 May 2015 22:36:28 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175151#M50260 HattrickNZ 2015-05-11T22:36:28Z https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175152#M50261 <P>Comment on Edit3<BR /> need to add <CODE>span=d</CODE> <CODE>timechart max(field2) as f2</CODE> to handle the ability to predict furter into the future<BR /> this also enables interactivity on the graph so all good. </P> <P>But there must be a better way, I will wait...</P> Mon, 11 May 2015 22:53:53 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175152#M50261 HattrickNZ 2015-05-11T22:53:53Z https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175153#M50262 <P>further comment on EDIT3 <BR /> maybe best to have holdback=1 on both predict functions so the graph lines up </P> Fri, 12 Jun 2015 01:49:35 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-on-a-field-after-using-the-predict-function/m-p/175153#M50262 HattrickNZ 2015-06-12T01:49:35Z