All Apps and Add-ons

"Forecast Time Series" assistant returning "Error Code 1"

lradics
Path Finder

I am trying to use the Forecast Time Series assistant of the Machine Learning Toolkit, and it's returning the error External search command 'predict' returned error code 1. (When I try copying the SPL or using the "Open in Search" option, I get the same error.)

The search I'm entering is source="*" date_year="2017", and then I'm asking it to predict the date_year field, so I know nothing will have a null or non-numeric value. (Of course, they'll all have the same value - 2017 - but I can't think of why that'd be the issue.) And when looking at the raw data, they all have valid timestamps in the _time field.

I can't find any information about error code 1 either in the Splunk documentation or on this site - does anyone have experience with this issue? I'm at a loss for what I should do - any suggestions would be greatly appreciated.

Thank you!

0 Karma
1 Solution

niketn
Legend

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lradics
Path Finder

Thank you, niketnilay! I didn't realize the Toolkit assistants also required the timechart command - when I added that, it worked.

A question, though - if I want it to predict a field (say, have it predict date_year instead of count), do I always have to use a stats function (eg. avg(date_year) or max(date_year)) with the timechart command?

0 Karma

niketn
Legend

Can you please elaborate on what you need with prediction of date_year? Prediction in literal sense also implies to predict a value in time. I am sorry but I am unable to understand what you imply by predicting date_year. If you can add some example of your use case that would be great.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lradics
Path Finder

I don't have a particular use case here - I'm just playing with the Toolkit to test its various capabilities 🙂 I will keep messing with it, now that it actually works (thank you!), and see if I can answer my own question.

0 Karma

niketn
Legend

Machine Learning Toolkit has the Showcase App with a lot of examples specific to realtime Use Cases like prediction network traffic, disk failure etc. It also has link to Youtube video which explains each one of them. Check them out unless you have already done the same. (PS: ML Toolkit has its own documentation as well which you could check out)

You can also get the queries which are running behind the scene to come up with your own queries. Do read predict command documentation as Forecast Time series is based on the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...