Splunk Search
Highlighted

Can you use the predict command with multiple fields without having to type them all?

Hi,

I am looking to use predict command with multiple fields without typing all their names.
For example I know it can be used liked this:

Make results |Predict field1 field2 field3 

But what I need is..

Make results | timechart Amount by Name 

This makes columns like

_time A1 A2 A3 A4 ......

I don't want to type all the field names, I just want to write something like

|predict A* 
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Engager

Hi splunkiesplunkhead

I don't really think you can use predict like that, it expects explicit declaration of all the fields.

When you call | predict A*
You get the error

command="predict", Unknown field: A*
I'll actually be following this thread in case someone offers a positive solution for this.

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Esteemed Legend

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch (ending with | table $field_list$) but you cannot because the map command inserts double-quotes around arguments (so you end up with | table "A B C" instead of | table A B C) and so we embed a subsearch to strip them off.

View solution in original post

Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Explorer

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Esteemed Legend

To be fair, that is a different question and you should Accept this answer and ask a new one.

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Thanks @woodcock.

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Splunk Employee
Splunk Employee

hi @splunkiessplunkhead (woah, what a name!)

Did one of the answer's below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Hi, I am trying to implement this but getting errors, may be doing something wrong. Will try and fix it. If it does work I will accept the answer.
Thanks

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

made it work!
thanks

0 Karma
Highlighted

Re: Can you use the predict command with multiple fields without having to type them all?

Explorer

Hi @woodcook
The method works without the map search.
I just populate the list of the fields in a separate search and add that in front of predict command like this

<my search>
|timechart Amount by Category limit=0 ("this generates field names that I need)
|predict [another search here to make the same field list as above| return $field_list]

It works fine if my number of fields are as high as 27.
The next setting I tried had 214 fields and it doesnt return anything. Neither does it throw any error... Is there an upper limit for number of fields?
Also can I suppress upper95 and lower95 such that they arent generated at all, just one prediction field is generated per field

0 Karma