Splunk Search

prediction in splnuk

splunkpoornima
Communicator

hi all,

i am splunk 5.0 and i tried the query below with predict function as given in the document

source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction startswith=START endswith=Succeeded| timechart count(duration) by TaskAction|predict count(duration) as Durationf

but it throws me error as

command="predict", Too few data points: 0. Need at least 2

Thanks in Advance

poornima

Tags (1)
0 Karma

pachurrito62
Explorer

how do i predict all fields in that table without specifying all of them? Is there something like | predict * ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

As noted in the docs linked by Drainy, predict takes a field name - no wildcards.

0 Karma

laurie_gellatly
Communicator

I've extended predict to allow it to take '*' as a wildcard
Maybe you can too?

...Laurie:{)

VatsalJagani
SplunkTrust
SplunkTrust

Hey @laurie_gellatly,
Can you please share your idea about how you extend predict to use wildcard or dynamic column name with predict function ?

0 Karma

laurie_gellatly
Communicator

Hi @VatsalJagani,
I need to check I'm allowed to post the changes I made to predict.py
That's why I haven't already done it 🙂

Cheers ...Laurie:{)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Feel free to publish your extended predict as an app on splunkbase.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yup, that's the table.

...in case you wanted more than a verification of that being the table, look for the column you wanted to predict called "count(duration)" - it doesn't exist, hence cannot be predicted.

0 Karma

splunkpoornima
Communicator

Hi martin ,

below is the table produced by the timechart

alt text

please verify

0 Karma

Drainy
Champion

I've said this in a few questions, but please please read the docs. With that error the first thing you should do is read the docs;

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Predict

Nowhere does it say you can use stats commands, In this case you would rename you count and use;

| predict count as Durationf

Drainy
Champion

Right, and it won't work because of the split by

martin_mueller
SplunkTrust
SplunkTrust

Renaming the count(duration) shouldn't help because it's split up with a by clause.

Drainy
Champion

right, that isn't a predictable field, you'd need to do an AS rename to change it to something like count or dur_count to then run predict on

splunkpoornima
Communicator

i refered the document and then only i used this command...

predict [AS ]

|predict count(duration) as DurationF

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Look at the table produced by your timechart. There's no column "count(duration)", hence predict complains about too few data points.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I suggested you look at the result of the timechart to see what columns there are. Only those columns are put into the predict, hence only those columns are available to be predicted.

0 Karma

splunkpoornima
Communicator

hi martin,

i changed the query but this time i got the different error
as u suggested,

source="hdfs://172.25.192.226:8020/user/cloudera/input/taskmanager_log20111210_09.19.49.txt"| transaction TaskAction_1 startswith=START endswith=Succeeded|Table _time TaskAction_1 duration|predict duration AS dur_count

it shows error as

External search command 'predict' returned error code 1

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...