- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use predict command with wildcard, as I have timechart with group by field. See below example query.
Query: index=_internal sourcetype=splunkd* | timechart count as Count by sourcetype | predict splunkd*
Above query is giving following error: command="predict", Unknown field: splunkd*.
One way to solve is to use custom command, but if possible I don't want to introduce custom command in my app. If anyone have solution with query?
Note: Field name should be displayed on panel, otherwise I can rename all fields with particular name like col1, col2, ... And I can do this but I also want to know use that this prediction is for which field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.
index=_internal sourcetype=splunkd*
| stats count by sourcetype
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$"
| stats values(*) as * by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@VatsalJagani instead of map command you can try a subsearch like the following run anywhere example
index=_internal sourcetype=splunkd log_level!=INFO
| timechart count by log_level
| predict
[ search index=_internal sourcetype=splunkd log_level!=INFO
| stats values(log_level) as search
| eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]
The subsearch produces separate series for prediction in the above case "WARN" "ERROR", would be the output. Which implies the final pipe would evaluate to
| predict "WARN" "ERROR"
I would expect subsearch to perform better than map. Although, subsearch will have its own subsearch limitation, I don't think in a single query you would like to predict as many series as the subsearch limit since the query with timechart and prediction would anyways be exponentially expensive as you keep adding more series for predict command.
PS: If you are using a post-process search, i.e. specifically in a dashboard you can pass the result of subsearch to the above predict command as token.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @niketnilay,
This worked, but it is even giving prediction for past data also. And how to pass parameters like future_timespan?
Thanks Anyway, I never knew subsearch works with other commands then search command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just pass the remaining arguments which are static as you would normally do.
| predict
[ search index=_internal sourcetype=splunkd log_level!=INFO
| stats values(log_level) as search
| eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]
holdback=5 future_timespan=5
Please try out and confirm!
Also I am glad you are actively contributing to Splunk Answers community through both your questions and answers. Till date, each time I spend time here I get to learn something new. So, keep contributing.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heyy niketnilay this worked. Thanks!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:
<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "
Take a look at this run-anywhere search where my table command has arguments similar to your predict command:
|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"
You will be tempted to think that you can get away without the subsearch but you cannot. This is because the map command inserts double-quotes around arguments and so we embed a subsearch to strip them off.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.
index=_internal sourcetype=splunkd*
| stats count by sourcetype
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$"
| stats values(*) as * by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This query works, but it doesn't show same visualization as normal predict command shows (dotted lines for lower95 and upper95.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't test it at the moment, but you might want to look at the foreach command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach
