Hi,

You are applying a table command after a timechart and prediction command. There is actually, no event command from your timechart - your timechart (and the subsequent fields like residual,anomaly etc.) are all based on evals of count. There is no way events are going to be captured AFTER you apply a timechart command and just use the count , based on the timechart for further processing.
For example, if i write something like this | eval event="vvvv" | table |table event, anomaly, count , then you will receive an event field with vvv as the field values, see what I mean?
It is difficult to say what actually you want under the event field , but if I just slightly modify your timechart command to something like this - |timechart span=5m sum(count) as count, values(_raw) as event and then run the rest of your query (including |table event,anomaly,count) you WILL get values under the event field (event =_raw) in this case.
My example is bad and the query takes a long time to execute, try running this for last 15 mins. What i did was select the _audit index so that you can use the code as it is, run this code for the lats 15 minutes and see the otuput index="_audit" | timechart span=5m sum(count) as count, values(_raw) as event
| predict count as prediction algorithm=LLP5 future_timespan=200 holdback=0
| eval residual=count-round(prediction,0)
| streamstats window=200 current=true median(residual) as median_of_residual
| eval abs_dev=(abs(residual - median_of_residual))
| streamstats window=200 current=true median(abs_dev) as median_abs_dev
| eval upper_bound=(median_of_residual + median_abs_dev * 20)
| eval anomaly=if(residual > upper_bound,1,0)|table event, anomaly, count

So, either you need to include what you mean by event in the timechart(your prediction for count will remain unscathed ) OR define something using an eval for the event to pick values