Splunk Search

Can you use the predict command with multiple fields without having to type them all?

splunkiesplunkh
Explorer

Hi,

I am looking to use predict command with multiple fields without typing all their names.
For example I know it can be used liked this:

Make results |Predict field1 field2 field3 

But what I need is..

Make results | timechart Amount by Name 

This makes columns like

_time A1 A2 A3 A4 ......

I don't want to type all the field names, I just want to write something like

|predict A* 
1 Solution

woodcock
Esteemed Legend

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

View solution in original post

sarauppal
Explorer

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

0 Karma

morawi5
Explorer

Can you explain this a bit better?

I'm trying to run that query you have, but its just not working?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @splunkiessplunkhead (woah, what a name!)

Did one of the answer's below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

splunkiesplunkh
Explorer

made it work!
thanks

0 Karma

splunkiesplunkh
Explorer

Hi, I am trying to implement this but getting errors, may be doing something wrong. Will try and fix it. If it does work I will accept the answer.
Thanks

0 Karma

woodcock
Esteemed Legend

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

splunkiesplunkh
Explorer

Thanks @woodcock.

0 Karma

sarauppal
Explorer

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

0 Karma

woodcock
Esteemed Legend

To be fair, that is a different question and you should Accept this answer and ask a new one.

0 Karma

lumnious
Engager

Hi splunkiesplunkhead

I don't really think you can use predict like that, it expects explicit declaration of all the fields.

When you call | predict A*
You get the error

command="predict", Unknown field: A*
I'll actually be following this thread in case someone offers a positive solution for this.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...