How to apply the predict command with group by for...

intelsubham · ‎06-19-2015

I want to apply the predict command on multiple column values with one search.

My table values are like this:

fetching table by applying timechart on a field which contains numeric values.

laurie_gellatly · ‎12-07-2016

If you have your columns in a 'somecategory' field and the values of the columns in a 'somecount' field that would allow you to do something like

... | timechart sum(somecount) BY somecategory | predict 10357 12745 13317

...Laurie:{)

gwobben · ‎03-17-2016

Sorry, you cannot do that. Predict has no "by" clause, like stats, which makes it impossible to make multiple predictions.

HOWEVER

If you really need to, and don't really care for performance, you could use the map command to do something like:

 ... your search resulting in a list IDs (your column names) ... | map [search id=$id$ | timechart something | predict]

The map command will loop all of your column names (I guess they are IDs of something?) and execute predict for each of them. Then it will append the results of each run to the final results. Just remember this has quite the performance impact because you'll be starting a new search for each ID.

As an alternative you might consider user the R app, which is currently only available on github: https://github.com/rfsp/r. This app will allow you to run R commands in Splunk, and R is able to make multiple predictions at a time.

How to apply the predict command with group by for multiple column values in one search ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation