Hi All,
My Complete query to predict the future forecast is as shown below :-
index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) as critical , count(eval(write>500)) as overwrite | eval serverbusy=critical | table _time serverbusy
| predict "serverbusy" as prediction algorithm="LLP" future_timespan="5" holdback="0" lower"95"=lower"95" upper"95"=upper"95" | forecastviz(5, 0, "serverbusy", 95)
I am using kalman filter algorithm, after running forecast button i am getting below error:-
External search command 'predict' returned error code 1.
What do i need to do to get rid of this error ?
Conseguiu resolver o problema ? Estou com o mesmo problema,conseguiu resolver o problema ?
Hi @ankycampy,
Can you confirm that this search:
index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0" lower"95"=lower"95" upper"95"=upper"95"
works fine on both 6.5.5 and 6.6.3 ?
Can you also confirm which version of the MLTK you are using?
Hi,
No, this query is running fine on 6.5.5 only and getting the error code 1 on 6.6.3.
I am using MLTK 2.3.0 on 6.6.3 splunk.
Refer to one of my previous answers, predict command requires a preceding timechart command. Refer to predict
command documentation as well: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict
https://answers.splunk.com/answers/551271/forecast-time-series-assistant-returning-error-cod.html
Hi,
index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0" lower"95"=lower"95" upper"95"=upper"95"
| `forecastviz(15, 0, "critical", 95)`
After running the above query i am getting same error, i am using splunk version 6.6.3, whereas when i am running below query on splunk version 6.5.5 where MLTK app is not installed, it is running fine and giving me results.
index=predict sourcetype=anktest | search busy!=null | timechart count(eval(busy>500)) AS critical
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0" lower"95"=lower"95" upper"95"=upper"95"
The only difference between above two queries are below :-
forecastviz(15, 0, "critical", 95)
this string is not used where MLTK is not installed.What is wrong here ?
Could you solve the problem? I'm getting the same error.
I ran the following run anywhere search in 6.6.2 and MLTK 2.3.0 and added forecastviz()
functions it worked fine when I used in Forecast chart
index=_internal sourcetype=splunkd
| timechart count(eval(log_level="ERROR")) as Error
| predict "Error" as prediction algorithm="LLP" future_timespan="15" holdback="0" lower"95"=lower"95" upper"95"=upper"95"
| `forecastviz(15, 0, "Error", 95)`
I will try with 6.6.3 but it might take sometime before I upgrade. So see if you can use 6.6.2 instead of 6.6.3.
@ankycampy, I just tested Splunk 6.6.3
with latest MLTK 2.4.0
on Windows 64 bit Machine with Python for Scientific Computing Add On 1.2 and the above query worked fine for me.
Please make sure your query without forecastviz(15, 0, "Error", 95)
is returning results.
I have downgraded to splunk version 6.6.1 and using MLTK 2.3.0 now and all queries working fine now. Using Splunk Enterprise on RHEL Instance.
Thanks!
@ankycampy, surprisingly Splunk Enterprise 6.6.3 worked with MLTK 2.4.0. So, I can not request you to create an Bug. I am also not sure whether there is a right answer for your issue. You can either accept this answer or convert your own previous comment to Answer and accept the same to mark this question as answered.
Same here; works fine for me.
@woodcock, I bet you are on 6.6.3. Can you please confirm?
I have v6.6.2
Hi Niket,
Thanks for the post, I am using timechart in my query to generate time series data and then applying predict but still getting same error.
Reduced query as below :-
index=predict sourcetype=anktest | search wcsbusy!=null
| timechart count(eval(wcsbusy>500)) as critical
| predict "critical" as prediction algorithm="LLP" future_timespan="15" holdback="0" lower"95"=lower"95" upper"95"=upper"95"
| `forecastviz(15, 0, "critical", 95)`
Getting same error :-
External search command 'predict' returned error code 1.