Solved: Can you use the predict command with multiple fiel...

splunkiesplunkh · ‎09-24-2018

Hi,

I am looking to use predict command with multiple fields without typing all their names.
For example I know it can be used liked this:

Make results |Predict field1 field2 field3

But what I need is..

Make results | timechart Amount by Name

This makes columns like

_time A1 A2 A3 A4 ......

I don't want to type all the field names, I just want to write something like

|predict A*

woodcock · ‎10-07-2018

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

View solution in original post

sarauppal · ‎10-23-2018

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

morawi5 · ‎08-26-2020

Can you explain this a bit better?

I'm trying to run that query you have, but its just not working?

mstjohn_splunk · ‎10-12-2018

hi @splunkiessplunkhead (woah, what a name!)

Did one of the answer's below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

splunkiesplunkh · ‎10-24-2018

made it work!
thanks

splunkiesplunkh · ‎10-19-2018

Hi, I am trying to implement this but getting errors, may be doing something wrong. Will try and fix it. If it does work I will accept the answer.
Thanks

woodcock · ‎10-07-2018

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

splunkiesplunkh · ‎10-24-2018

Thanks @woodcock.

sarauppal · ‎10-23-2018

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

woodcock · ‎10-23-2018

To be fair, that is a different question and you should Accept this answer and ask a new one.

lumnious · ‎10-06-2018

Hi splunkiesplunkhead

I don't really think you can use predict like that, it expects explicit declaration of all the fields.

When you call | predict A*
You get the error

command="predict", Unknown field: A*
I'll actually be following this thread in case someone offers a positive solution for this.

Can you use the predict command with multiple fields without having to type them all?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake