Splunk Search

timechart avg(bytes) by... not working with predict

Path Finder

I tried various combinations but failed

  1. index="flowintegrator" srcport=21
    |eval thisUser=src
    ip + "="+ dest_ip
    | timechart avg(bytes) as volume by
    thisUser|predict thisUser

  2. index="flowintegrator" srcport=21
    |eval thisUser=src
    ip + "="+ destip
    | timechart avg(bytes) as avg
    bytes
    by thisUser|predict avg_bytes

This works but I can't predict.
index="flowintegrator" srcport=21 |eval thisUser=srcip + "="+ destip | timechart avg(bytes) as avgbytes by thisUser

Help

0 Karma
1 Solution

Champion

See the result of timechart.Field name is wrong.
Since predict can not use wildcards, you must specify all field names.
However, since "=" can not be used, please change it to "_".

ex.
|predict "127.0.0.1127.0.0.2" "127.0.0.1127.0.0.3" "127.0.0.1_127.0.0.4" ・・・

View solution in original post

Champion

See the result of timechart.Field name is wrong.
Since predict can not use wildcards, you must specify all field names.
However, since "=" can not be used, please change it to "_".

ex.
|predict "127.0.0.1127.0.0.2" "127.0.0.1127.0.0.3" "127.0.0.1_127.0.0.4" ・・・

View solution in original post

Path Finder

thank you HIroshi-san,
|predict 127.0.0.1_127.0.0.2 works
However, the thisUser is dynamic, how can I pass this range of thisUser to predict? If this is not possible, I will mark your answer as correct.

0 Karma

Champion

If you look at the predict manual you can not use wildcards in the field list.
So I think that dynamic designation can not be done.

ex.

predict <field-list>
table <wc-field-list>
0 Karma

Path Finder

sounds good to me. I will find another way to do my alert. arigato gozaimasu

0 Karma

Path Finder

just thought of something, given my date span is per 7 days, i can rename the ipUser.
|rename "127" as ip |predict ip1, ip2, ip3, ip4, ip5, ip6, ip7

Thanks for the inspiration. (y)

0 Karma

Path Finder

forgot to mention about the error in predict
e.g.
Command: predict, unknown field: avg_bytes

0 Karma