Splunk Search

using eval on a field after using the predict function

HattrickNZ
Motivator

I have the follwoing search that does prediction, and what I want to do is add another column to this graph, in this case it is test=120000. This work as I would expect.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=120000

However I would like to get it to work using a field that is already in the dataset for example:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=field2
How do I do this?

I cannot get it to work, nothing shows up. I have even tried eval test=max(field2) but I am not sure if this can be done or is it my lack of understanding? I do not think I can place it as a parameter to predict as this will break my predict function.

EDIT1 Alternative method but same INCORRECT RESULT

I can actually put it as a parameter to the timechart, however it does not show any values for future dates which is what I am trying to achieve using the eval method.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 max(field2) as f2 | predict f1 as predict1 future_timespan=10 holdback=2

EDIT2 Alternative method but same INCORRECT RESULT
Another way to do it, in using appendcols, but it produces the same as the above 2 methods:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | timechart max(field2) as f2 ]

here is a pic of what I am talking about: (I want the yellow line to continue for the whole timespan)

alt text

EDIT3 Alternative method but alomost CORRECT RESULT sogetting better

now this at least looks like I am getting somewhere.
I have to do an appendcols of a new predict function and then drop the upper* and lower* fields to get what I want.

The downside to this is that you lose interactivity with the graph, which I don't like, but it is almost acceptable.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | | timechart max(field2) as f2 | predict f2 as f2 future_timespan=10] | fields - upper* lower*

this is a pic of what I have now

alt text

Tags (2)
0 Karma

HattrickNZ
Motivator

my EDIT3 answer is the best I can do.

But surely there is a better way where the interactivity is not lost, I will await someone clever 🙂

0 Karma

HattrickNZ
Motivator

further comment on EDIT3
maybe best to have holdback=1 on both predict functions so the graph lines up

0 Karma

HattrickNZ
Motivator

put holdback=1 in both predict functions so they line up.

0 Karma

HattrickNZ
Motivator

Comment on Edit3
need to add span=d timechart max(field2) as f2 to handle the ability to predict furter into the future
this also enables interactivity on the graph so all good.

But there must be a better way, I will wait...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...