Hi,

I am trying to apply the above search for my data but I am getting an error " Error in 'eval'command: The expression is malformed

looks like the "future_timespan=" is not green and is not recogonised for some reason or I am not sure what am I doing wrong.

My search:
index=**** sourcetype=*****
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round(relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]

Hi, you were missing a "(" between - round((relative_time

index= sourcetype=*
| dedup incident
| timechart span=1d dc(incident) as dc_incident
| predict dc_incident
[| gentimes start=-1
| eval inc_vol_by_eom="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400)
| table inc_vol_by_eom]

Ahhhh thanks

now I get a new Error "command="predict", unknown option inc_vol_by_eom=future_timespan=2 "

Yes, very good and very fast!

To continue my quest - I want to add future predictions to current earnings to estimate a month total. I tried to use sum(prediciton(Earnings)) but the result is wild too high because it uses predictions for past days when we have no earnings (weekends) as well. Therefore I think I need to add actual earnings plus forecasts for the future days to get to a more realistic estimation. Is there a way to do that?

I found a solution, but my idea was bad, the answer is even worst than without this idea:
event=Payment | timechart span=1d sum(value) as Earnings | predict Earnings [| gentimes start=-1 | eval search="future_timespan=".round((relative_time(now(),"@mon+1mon-1d")-relative_time(now(),"@d"))/86400) | table search] as pred| stats sum(eval(if(_time<now(),0,pred))) as future1, sum(Earnings) as past1 | eval total=past1+future1