Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Predict with wildcard

VatsalJagani
SplunkTrust
SplunkTrust
‎05-28-2018 10:21 PM

How can I use predict command with wildcard, as I have timechart with group by field. See below example query.

Query: index=_internal sourcetype=splunkd* | timechart count as Count by sourcetype | predict splunkd*

Above query is giving following error: command="predict", Unknown field: splunkd*.
One way to solve is to use custom command, but if possible I don't want to introduce custom command in my app. If anyone have solution with query?

Note: Field name should be displayed on panel, otherwise I can rename all fields with particular name like col1, col2, ... And I can do this but I also want to know use that this prediction is for which field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-30-2018 06:46 AM

See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.

index=_internal sourcetype=splunkd* 
| stats count by sourcetype 
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$" 
| stats values(*) as * by _time

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎06-06-2019 08:53 AM

@VatsalJagani instead of map command you can try a subsearch like the following run anywhere example

index=_internal sourcetype=splunkd log_level!=INFO 
| timechart count by log_level 
| predict 
    [ search index=_internal sourcetype=splunkd log_level!=INFO 
    | stats values(log_level) as search 
    | eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]

The subsearch produces separate series for prediction in the above case "WARN" "ERROR", would be the output. Which implies the final pipe would evaluate to 

 | predict "WARN" "ERROR"

I would expect subsearch to perform better than map. Although, subsearch will have its own subsearch limitation, I don't think in a single query you would like to predict as many series as the subsearch limit since the query with timechart and prediction would anyways be exponentially expensive as you keep adding more series for predict command.

PS: If you are using a post-process search, i.e. specifically in a dashboard you can pass the result of subsearch to the above predict command as token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-10-2019 12:11 AM

Hello @niketnilay,
This worked, but it is even giving prediction for past data also. And how to pass parameters like future_timespan?
Thanks Anyway, I never knew subsearch works with other commands then search command.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-10-2019 02:15 AM

Just pass the remaining arguments which are static as you would normally do.

| predict
     [ search index=_internal sourcetype=splunkd log_level!=INFO 
     | stats values(log_level) as search 
     | eval search=replace("\"".mvjoin(search,"\";\"")."\";",";"," ")]
   holdback=5 future_timespan=5

Please try out and confirm!

Also I am glad you are actively contributing to Splunk Answers community through both your questions and answers. Till date, each time I spend time here I get to learn something new. So, keep contributing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-10-2019 02:40 AM

Heyy niketnilay this worked. Thanks!!!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-08-2018 07:32 AM

Here is the trick that you need. Run your search twice. Once inside of a map + subsearch that generates the same results so that you can access the fields and build a string that contains them, which you then pass back out to the same search, something like this:

<Your Search Here>
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>" ]
| rename _field_list AS field_list
| table field_list
| map search="search <Your Search Here> | predict [|makeresults | eval field_list=$field_list$ | return $field_list ] "

Take a look at this run-anywhere search where my table command has arguments similar to your predict command:

|makeresults | eval A=1, B=2, C=3
| eval _field_list=" "
| foreach * [ eval _field_list = _field_list . " <<FIELD>>"]
| rename _field_list AS field_list
| table field_list
| map search="|makeresults | eval A=1, B=2, C=3 | table [|makeresults | eval field_list=$field_list$ | return $field_list ]"

You will be tempted to think that you can get away without the subsearch but you cannot. This is because the map command inserts double-quotes around arguments and so we embed a subsearch to strip them off.

0 Karma
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-30-2018 06:46 AM

See if this method gives you what you want. Its a different approach, but since predict doesn't seem to allow for wildcards, this might give you the results you are looking for.

index=_internal sourcetype=splunkd* 
| stats count by sourcetype 
| map search="search index=_internal sourcetype=$sourcetype$ | timechart count as $sourcetype$ | predict $sourcetype$" 
| stats values(*) as * by _time
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-18-2018 02:45 AM

This query works, but it doesn't show same visualization as normal predict command shows (dotted lines for lower95 and upper95.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:30 AM

I can't test it at the moment, but you might want to look at the foreach command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...