Splunk Search

command="predict", Too few data points: 0. Need at least 1 (too many holdbacks (0) maybe?)

Janani_Krish
Path Finder

Hello,

I have tried the following command to forecast recipient using predict command and Forecast time series assistant.

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span | predict "recipient: NULL" as prediction algorithm=LLP holdback=0 future_timespan=5 upper95=upper95 lower95=lower95 | `forecastviz(5, 0, "recipient: NULL", 95)`

I gave recipient:NULL for predict because the column I get as a result of timechart is as follows,

_time      count(recipient{}): NULL       headerFrom: NULL           recipient: NULL

I tried renaming the recipient field of predict command as follows,

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span | predict "recipient" as prediction algorithm=LLP holdback=0 future_timespan=5 upper95=upper95 lower95=lower95 | `forecastviz(5, 0, "recipient: NULL", 95)`

But then I am getting the error as "command="predict", Unknown field: recipient"

Please suggest

Labels (1)
Tags (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

what this part of your query is reporting:

 

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span

 

Usually there is no need to add holdback=0 as it’s default. 

Can you also add sample of your events so we could understand what your data is containing?

Janani_Krish
Path Finder

Hello Sautamo,

Thanks.

My recipient field contains names of recipients.

Later I realized I was trying to predict the name of recipients, But according to the algorithm I can predict only the numerical value like count.

It worked for me when I have set the predicted value to be count.

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...