Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

command="predict", Too few data points: 0. Need at least 1 (too many holdbacks (0) maybe?)

Janani_Krish
Path Finder
‎07-04-2020 01:18 AM

Hello,

I have tried the following command to forecast recipient using predict command and Forecast time series assistant.

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span | predict "recipient: NULL" as prediction algorithm=LLP holdback=0 future_timespan=5 upper95=upper95 lower95=lower95 | `forecastviz(5, 0, "recipient: NULL", 95)`

I gave recipient:NULL for predict because the column I get as a result of timechart is as follows,

_time      count(recipient{}): NULL       headerFrom: NULL           recipient: NULL

I tried renaming the recipient field of predict command as follows,

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span | predict "recipient" as prediction algorithm=LLP holdback=0 future_timespan=5 upper95=upper95 lower95=lower95 | `forecastviz(5, 0, "recipient: NULL", 95)`

But then I am getting the error as "command="predict", Unknown field: recipient"

Please suggest

Labels (1)
Labels
Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-19-2020 05:45 AM

Hi

what this part of your query is reporting:

 

sourcetype="mysource"|timechart span=60min values(recipient{}) as recipient values(headerFrom) as headerFrom count(recipient{}) by span

 

Usually there is no need to add holdback=0 as it’s default. 

Can you also add sample of your events so we could understand what your data is containing?

Reply

Janani_Krish
Path Finder
‎07-19-2020 10:45 PM

Hello Sautamo,

Thanks.

My recipient field contains names of recipients.

Later I realized I was trying to predict the name of recipients, But according to the algorithm I can predict only the numerical value like count.

It worked for me when I have set the predicted value to be count.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...