Solved: Predict command on a csv file?

sbaker44 · ‎04-27-2021

I'm trying to run the predict query on an existing csv file with the _time and count in it.

This csv was exported from a query where it gathered the count of an event in span = 5m, and then exported using the export button below the search bar.

_time, count
2021-03-24T00:00:00.000-0400, 85

Predict seems to need timechart to work properly, but I don't know how to get timechart to point to the already existing timestamps produced within the csv.

Query:

| inputlookup csv_name.csv
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0 |

I've read that maybe strptime and/or timechart need to be used somewhere within the query, but I do not know how to apply them.

Error code that we get is:

External search command 'predict' returned error code 1.

richgalloway · ‎04-27-2021

Yes, the predict command needs the _time field because it also needs the timechart command. Furthermore, the _time field must be in epoch (integer) form. Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-27-2021

Yes, the predict command needs the _time field because it also needs the timechart command. Furthermore, the _time field must be in epoch (integer) form. Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

---
If this reply helps you, Karma would be appreciated.

Predict command on a csv file?

lookup

other

timechart

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!