- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart avg(bytes) by... not working with pr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried various combinations but failed
index="flowintegrator" src_port=21
|eval thisUser=src_ip + "="+ dest_ip
| timechart avg(bytes) as volume by
thisUser|predict thisUserindex="flowintegrator" src_port=21
|eval thisUser=src_ip + "="+ dest_ip
| timechart avg(bytes) as avg_bytes
by thisUser|predict avg_bytes
This works but I can't predict.
index="flowintegrator" src_port=21 |eval thisUser=src_ip + "="+ dest_ip | timechart avg(bytes) as avg_bytes by thisUser
Help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the result of timechart.Field name is wrong.
Since predict can not use wildcards, you must specify all field names.
However, since "=" can not be used, please change it to "_".
ex.
|predict "127.0.0.1_127.0.0.2" "127.0.0.1_127.0.0.3" "127.0.0.1_127.0.0.4" ・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the result of timechart.Field name is wrong.
Since predict can not use wildcards, you must specify all field names.
However, since "=" can not be used, please change it to "_".
ex.
|predict "127.0.0.1_127.0.0.2" "127.0.0.1_127.0.0.3" "127.0.0.1_127.0.0.4" ・・・
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you HIroshi-san,
|predict 127.0.0.1_127.0.0.2 works
However, the thisUser is dynamic, how can I pass this range of thisUser to predict? If this is not possible, I will mark your answer as correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at the predict manual you can not use wildcards in the field list.
So I think that dynamic designation can not be done.
ex.
predict <field-list>
table <wc-field-list>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sounds good to me. I will find another way to do my alert. arigato gozaimasu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just thought of something, given my date span is per 7 days, i can rename the ipUser.
|rename "127*" as ip* |predict ip1, ip2, ip3, ip4, ip5, ip6, ip7
Thanks for the inspiration. (y)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forgot to mention about the error in predict
e.g.
Command: predict, unknown field: avg_bytes
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
