Splunk Search

Predict command on a csv file?

sbaker44
Engager

I'm trying to run the predict query on an existing csv file with the _time and count in it.

This csv was exported from a query where it gathered the count of an event in span = 5m, and then exported using the export button below the search bar. 

_time,                           count
2021-03-24T00:00:00.000-0400,    85

Predict seems to need timechart to work properly, but I don't know how to get timechart to point to the already existing timestamps produced within the csv.

Query: 

| inputlookup csv_name.csv
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0 |

I've read that maybe strptime and/or timechart need to be used somewhere within the query, but I do not know how to apply them. 

Error code that we get is:

External search command 'predict' returned error code 1. 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, the predict command needs the _time field because it also needs the timechart command.  Furthermore, the _time field must be in epoch (integer) form.  Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Yes, the predict command needs the _time field because it also needs the timechart command.  Furthermore, the _time field must be in epoch (integer) form.  Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...