Re: using eval on a field after using the predict ...

HattrickNZ · ‎05-07-2015

I have the follwoing search that does prediction, and what I want to do is add another column to this graph, in this case it is test=120000. This work as I would expect.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=120000

However I would like to get it to work using a field that is already in the dataset for example:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=field2
How do I do this?

I cannot get it to work, nothing shows up. I have even tried eval test=max(field2) but I am not sure if this can be done or is it my lack of understanding? I do not think I can place it as a parameter to predict as this will break my predict function.

EDIT1 Alternative method but same INCORRECT RESULT

I can actually put it as a parameter to the timechart, however it does not show any values for future dates which is what I am trying to achieve using the eval method.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 max(field2) as f2 | predict f1 as predict1 future_timespan=10 holdback=2

EDIT2 Alternative method but same INCORRECT RESULT
Another way to do it, in using appendcols, but it produces the same as the above 2 methods:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | timechart max(field2) as f2 ]

here is a pic of what I am talking about: (I want the yellow line to continue for the whole timespan)

EDIT3 Alternative method but alomost CORRECT RESULT sogetting better

now this at least looks like I am getting somewhere.
I have to do an appendcols of a new predict function and then drop the upper* and lower* fields to get what I want.

The downside to this is that you lose interactivity with the graph, which I don't like, but it is almost acceptable.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | | timechart max(field2) as f2 | predict f2 as f2 future_timespan=10] | fields - upper* lower*

this is a pic of what I have now

HattrickNZ · ‎05-11-2015

my EDIT3 answer is the best I can do.

But surely there is a better way where the interactivity is not lost, I will await someone clever 🙂

HattrickNZ · ‎06-11-2015

further comment on EDIT3
maybe best to have holdback=1 on both predict functions so the graph lines up

HattrickNZ · ‎05-11-2015

put holdback=1 in both predict functions so they line up.

HattrickNZ · ‎05-11-2015

Comment on Edit3
need to add span=d timechart max(field2) as f2 to handle the ability to predict furter into the future
this also enables interactivity on the graph so all good.

But there must be a better way, I will wait...

using eval on a field after using the predict function

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation