Is there a way to split by using predict.
I can predict on a single factor, e.g.
| timechart span=1h max(values) as values | predict values
How about:
| timechart span=1h max(values) as values by user?
What is your exact use case here? What are you trying to predict?
It's possible your climbing the wrong ladder here
I have the same problem/requirement. What I want to do is to have predictions for counts of events in the timechart that is split by country, using trellis chart. Is there a way? The normal BY clause doesn't output anything when adding PREDICT
saw a nice answer by @kmorris_splunk on this subject but couldnt find it now. maybe he will see my ping and will be able to locate it better
Here it is: https://answers.splunk.com/answers/661506/predict-with-wildcard.html#answer-661742
This was a slightly different scenario, but it may be helpful.
Thanks but the example did not support an actual by-clause
index=_internal sourcetype=splunkd* | stats count by sourcetype | map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$" | stats values(*) as * by _time
I need predict to support "timechart count as $sourcetype$ by host" for example.
