Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I add fields to output from predict

chengka
Explorer
‎01-22-2016 03:03 PM

I need to locate and alert on counts that are not within predicted bounds. It seems simple enough using predict, but predict does not include any information regarding the source. Here is a run anywhere search which illustrates my concern

index=_internal sourcetype=splunkd_access* | timechart span=1d count as Gets | predict Gets | eval queueManager=if(1=1, mq_ir360_qmgr,"no") | rename upper95(prediction(Gets)) as ceiling | rename lower95(prediction(Gets)) as floor | eval excession=if(Gets > ceiling, "100", "0") | eval recession=if(Get < floor, "-100", "0") | table _time Gets, sourcetype

As you can see, there is no mention of the sourcetype in the results. I plan to use this within a map loop to check thousands of different hosts and I need to know which host contains an outlier. I tried to add information, but it is not in the pipe, so I can't(see second example) .

How would I get the sourcetype in my output?

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-23-2016 07:47 AM

I believe the reason you don't see the sourcetype is because of the timechart command. Try including the sourcetype field as an output to that command. Something like this may work

... |  timechart span=1d first(sourcetype) as sourcetype count as Gets | predict Gets | table _time Gets sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-23-2016 07:47 AM

I believe the reason you don't see the sourcetype is because of the timechart command. Try including the sourcetype field as an output to that command. Something like this may work

... |  timechart span=1d first(sourcetype) as sourcetype count as Gets | predict Gets | table _time Gets sourcetype
0 Karma
Reply
Solved! Jump to solution

chengka
Explorer
‎01-26-2016 03:04 PM

That worked. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...