How to use fit command together with foreach?

Splunk Search

I would like to fit an ARIMA model to my data with a search something like this:

<base search>
| timechart span=5m avg(value) as value by some_field

The problem here is that, the number of field that returns by this search is dynamic, so it can return 5 fields one day but it could also return 3 or 7 the other day for instance.

I would like to fit an ARIMA model to all the fields that is returned by that search. What I found was the foreach command where you iterate over fields :

| foreach * [eval '<<FIELD>>' = ... ]

However, when I try to use the fit command instead of eval, I get an error message saying:

Error in 'foreach' command: Search pipeline may not contain non-streaming commands

Since foreach cannot contain non-streaming commands.

Is there a way to come around this issue?

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...