hi all,
i am splunk 5.0 and i tried the query below with predict function as given in the document
source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction startswith=START endswith=Succeeded| timechart count(duration) by TaskAction|predict count(duration) as Durationf
but it throws me error as
command="predict", Too few data points: 0. Need at least 2
Thanks in Advance
poornima
how do i predict all fields in that table without specifying all of them? Is there something like | predict * ?
As noted in the docs linked by Drainy, predict
takes a field name - no wildcards.
I've extended predict to allow it to take '*' as a wildcard
Maybe you can too?
...Laurie:{)
Hey @laurie_gellatly,
Can you please share your idea about how you extend predict to use wildcard or dynamic column name with predict function ?
Hi @VatsalJagani,
I need to check I'm allowed to post the changes I made to predict.py
That's why I haven't already done it 🙂
Cheers ...Laurie:{)
Feel free to publish your extended predict as an app on splunkbase.
Yup, that's the table.
...in case you wanted more than a verification of that being the table, look for the column you wanted to predict called "count(duration)" - it doesn't exist, hence cannot be predicted.
Hi martin ,
below is the table produced by the timechart
please verify
I've said this in a few questions, but please please read the docs. With that error the first thing you should do is read the docs;
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Predict
Nowhere does it say you can use stats commands, In this case you would rename you count and use;
| predict count as Durationf
Right, and it won't work because of the split by
Renaming the count(duration) shouldn't help because it's split up with a by clause.
right, that isn't a predictable field, you'd need to do an AS rename to change it to something like count or dur_count to then run predict on
i refered the document and then only i used this command...
predict
|predict count(duration) as DurationF
Look at the table produced by your timechart. There's no column "count(duration)", hence predict complains about too few data points.
I suggested you look at the result of the timechart to see what columns there are. Only those columns are put into the predict, hence only those columns are available to be predicted.
hi martin,
i changed the query but this time i got the different error
as u suggested,
source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction_1 startswith=START endswith=Succeeded|Table _time TaskAction_1 duration|predict duration AS dur_count
it shows error as
External search command 'predict' returned error code 1