All Apps and Add-ons

Getting "External search command 'predict' returned error code 1" when using "Forecast timeseries assistant in Splunk MLTK app

ankycampy
Explorer

Hi All,

      My Complete query to predict the future forecast is as shown below :-

index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) as critical , count(eval(write>500)) as overwrite | eval serverbusy=critical | table _time serverbusy
| predict "serverbusy" as prediction algorithm="LLP" future_timespan="5" holdback="0" lower"95"=lower"95" upper"95"=upper"95" | forecastviz(5, 0, "serverbusy", 95)

I am using kalman filter algorithm, after running forecast button i am getting below error:-

External search command 'predict' returned error code 1.

What do i need to do to get rid of this error ?

0 Karma

mrsplu
New Member

Conseguiu resolver o problema ? Estou com o mesmo problema,conseguiu resolver o problema ?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Hi @ankycampy,

Can you confirm that this search:

 index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical
 | predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0"  lower"95"=lower"95" upper"95"=upper"95"

works fine on both 6.5.5 and 6.6.3 ?

Can you also confirm which version of the MLTK you are using?

0 Karma

ankycampy
Explorer

Hi,

No, this query is running fine on 6.5.5 only and getting the error code 1 on 6.6.3.
I am using MLTK 2.3.0 on 6.6.3 splunk.

0 Karma

niketn
Legend

Refer to one of my previous answers, predict command requires a preceding timechart command. Refer to predict command documentation as well: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

https://answers.splunk.com/answers/551271/forecast-time-series-assistant-returning-error-cod.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ankycampy
Explorer

Hi,

index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical 
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0"  lower"95"=lower"95" upper"95"=upper"95" 
| `forecastviz(15, 0, "critical", 95)`

After running the above query i am getting same error, i am using splunk version 6.6.3, whereas when i am running below query on splunk version 6.5.5 where MLTK app is not installed, it is running fine and giving me results.

index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0"  lower"95"=lower"95" upper"95"=upper"95"

The only difference between above two queries are below :-

  1. different versions, one is having MLTK installed and other do not have MLTK
  2. | forecastviz(15, 0, "critical", 95) this string is not used where MLTK is not installed.

What is wrong here ?

0 Karma

mrsplu
New Member

Could you solve the problem? I'm getting the same error.

0 Karma

niketn
Legend

I ran the following run anywhere search in 6.6.2 and MLTK 2.3.0 and added forecastviz() functions it worked fine when I used in Forecast chart

index=_internal sourcetype=splunkd  
 | timechart count(eval(log_level="ERROR")) as Error 
 | predict "Error" as prediction algorithm="LLP" future_timespan="15" holdback="0"  lower"95"=lower"95" upper"95"=upper"95"
 | `forecastviz(15, 0, "Error", 95)`

I will try with 6.6.3 but it might take sometime before I upgrade. So see if you can use 6.6.2 instead of 6.6.3.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@ankycampy, I just tested Splunk 6.6.3 with latest MLTK 2.4.0 on Windows 64 bit Machine with Python for Scientific Computing Add On 1.2 and the above query worked fine for me.

Please make sure your query without forecastviz(15, 0, "Error", 95) is returning results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ankycampy
Explorer

I have downgraded to splunk version 6.6.1 and using MLTK 2.3.0 now and all queries working fine now. Using Splunk Enterprise on RHEL Instance.
Thanks!

0 Karma

niketn
Legend

@ankycampy, surprisingly Splunk Enterprise 6.6.3 worked with MLTK 2.4.0. So, I can not request you to create an Bug. I am also not sure whether there is a right answer for your issue. You can either accept this answer or convert your own previous comment to Answer and accept the same to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

Same here; works fine for me.

0 Karma

niketn
Legend

@woodcock, I bet you are on 6.6.3. Can you please confirm?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

I have v6.6.2

0 Karma

ankycampy
Explorer

Hi Niket,

Thanks for the post, I am using timechart in my query to generate time series data and then applying predict but still getting same error.
Reduced query as below :-

index=predict sourcetype=anktest | search wcsbusy!=null 
| timechart count(eval(wcsbusy>500)) as critical 
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0"  lower"95"=lower"95" upper"95"=upper"95" 
| `forecastviz(15, 0, "critical", 95)`

Getting same error :-

External search command 'predict' returned error code 1.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...