Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Predict command on a csv file?

sbaker44
Engager
‎04-27-2021 08:57 AM

I'm trying to run the predict query on an existing csv file with the _time and count in it.

This csv was exported from a query where it gathered the count of an event in span = 5m, and then exported using the export button below the search bar. 

_time,                           count
2021-03-24T00:00:00.000-0400,    85

Predict seems to need timechart to work properly, but I don't know how to get timechart to point to the already existing timestamps produced within the csv.

Query: 

| inputlookup csv_name.csv
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0 |

I've read that maybe strptime and/or timechart need to be used somewhere within the query, but I do not know how to apply them. 

Error code that we get is:

External search command 'predict' returned error code 1. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 11:03 AM

Yes, the predict command needs the _time field because it also needs the timechart command.  Furthermore, the _time field must be in epoch (integer) form.  Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 11:03 AM

Yes, the predict command needs the _time field because it also needs the timechart command.  Furthermore, the _time field must be in epoch (integer) form.  Try this query:

| inputlookup csv_name.csv
| eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
| timechart span=1d count
| predict count as prediction algorithm=LLP future_timespan=150 holdback=0

 

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...