Hi,
I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output?
| tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | timechart span=1h count by dataset.field usenull=f useother=f
If I try to do following,
| predict dataset.field
timechart is using dataset.field for values of field names in the y axis and doesn't exist any more - try predict count
Same result.
command="predict", Unknown field: count
With timechart everything works fine, it plots using dataset.field or even with "field" after rename. But predict doesn't seem to be taking any option as input. Only way predict works here is if I use direct value of the field.
| predict value
Have you tried renaming the field?
| tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t
| rename dataset.field as field
| timechart span=1h count by field usenull=f useother=f
| predict field
Hi @richgalloway ,
Tried that but now it just gives same error message for field.
command="predict", Unknown field: field