All Apps and Add-ons

"Forecast Time Series" assistant returning "Error Code 1"

lradics
Path Finder

I am trying to use the Forecast Time Series assistant of the Machine Learning Toolkit, and it's returning the error External search command 'predict' returned error code 1. (When I try copying the SPL or using the "Open in Search" option, I get the same error.)

The search I'm entering is source="*" date_year="2017", and then I'm asking it to predict the date_year field, so I know nothing will have a null or non-numeric value. (Of course, they'll all have the same value - 2017 - but I can't think of why that'd be the issue.) And when looking at the raw data, they all have valid timestamps in the _time field.

I can't find any information about error code 1 either in the Splunk documentation or on this site - does anyone have experience with this issue? I'm at a loss for what I should do - any suggestions would be greatly appreciated.

Thank you!

0 Karma
1 Solution

niketn
Legend

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lradics
Path Finder

Thank you, niketnilay! I didn't realize the Toolkit assistants also required the timechart command - when I added that, it worked.

A question, though - if I want it to predict a field (say, have it predict date_year instead of count), do I always have to use a stats function (eg. avg(date_year) or max(date_year)) with the timechart command?

0 Karma

niketn
Legend

Can you please elaborate on what you need with prediction of date_year? Prediction in literal sense also implies to predict a value in time. I am sorry but I am unable to understand what you imply by predicting date_year. If you can add some example of your use case that would be great.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lradics
Path Finder

I don't have a particular use case here - I'm just playing with the Toolkit to test its various capabilities 🙂 I will keep messing with it, now that it actually works (thank you!), and see if I can answer my own question.

0 Karma

niketn
Legend

Machine Learning Toolkit has the Showcase App with a lot of examples specific to realtime Use Cases like prediction network traffic, disk failure etc. It also has link to Youtube video which explains each one of them. Check them out unless you have already done the same. (PS: ML Toolkit has its own documentation as well which you could check out)

You can also get the queries which are running behind the scene to come up with your own queries. Do read predict command documentation as Forecast Time series is based on the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...