Splunk Search

Predict with wildcard

VatsalJagani
SplunkTrust
SplunkTrust

How can I use predict command with wildcard, as I have timechart with group by field. See below example query.

Query: index=_internal sourcetype=splunkd* | timechart count as Count by sourcetype | predict splunkd*

Above query is giving following error: command="predict", Unknown field: splunkd*.
One way to solve is to use custom command, but if possible I don't want to introduce custom command in my app. If anyone have solution with query?

Note: Field name should be displayed on panel, otherwise I can rename all fields with particular name like col1, col2, ... And I can do this but I also want to know use that this prediction is for which field.

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.

index=_internal sourcetype=splunkd* 
| stats count by sourcetype 
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$" 
| stats values(*) as * by _time

View solution in original post

niketn
Legend

@VatsalJagani instead of map command you can try a subsearch like the following run anywhere example

index=_internal sourcetype=splunkd log_level!=INFO 
| timechart count by log_level 
| predict 
    [ search index=_internal sourcetype=splunkd log_level!=INFO 
    | stats values(log_level) as search 
    | eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]

The subsearch produces separate series for prediction in the above case "WARN" "ERROR", would be the output. Which implies the final pipe would evaluate to

 | predict "WARN" "ERROR"

I would expect subsearch to perform better than map. Although, subsearch will have its own subsearch limitation, I don't think in a single query you would like to predict as many series as the subsearch limit since the query with timechart and prediction would anyways be exponentially expensive as you keep adding more series for predict command.

PS: If you are using a post-process search, i.e. specifically in a dashboard you can pass the result of subsearch to the above predict command as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

VatsalJagani
SplunkTrust
SplunkTrust

Hello @niketnilay,
This worked, but it is even giving prediction for past data also. And how to pass parameters like future_timespan?
Thanks Anyway, I never knew subsearch works with other commands then search command.

0 Karma

niketn
Legend

Just pass the remaining arguments which are static as you would normally do.

| predict
     [ search index=_internal sourcetype=splunkd log_level!=INFO 
     | stats values(log_level) as search 
     | eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]
   holdback=5 future_timespan=5

Please try out and confirm!

Also I am glad you are actively contributing to Splunk Answers community through both your questions and answers. Till date, each time I spend time here I get to learn something new. So, keep contributing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

VatsalJagani
SplunkTrust
SplunkTrust

Heyy niketnilay this worked. Thanks!!!

0 Karma

woodcock
Esteemed Legend

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch but you cannot. This is because the map command inserts double-quotes around arguments and so we embed a subsearch to strip them off.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.

index=_internal sourcetype=splunkd* 
| stats count by sourcetype 
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$" 
| stats values(*) as * by _time

VatsalJagani
SplunkTrust
SplunkTrust

This query works, but it doesn't show same visualization as normal predict command shows (dotted lines for lower95 and upper95.

0 Karma

xpac
SplunkTrust
SplunkTrust

I can't test it at the moment, but you might want to look at the foreach command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...