I think there is a better option. You can use subsearch in predict command that will dynamically generate the list of fields to predict. Using Splunk tutorial data, i.e counting events based on status code and predicting it:
index="tutorial" sourcetype=access_combined_wcookie | timechart count by status | predict [search index="tutorial" sourcetype=access_combined_wcookie | stats values(status) as status | eval status=mvjoin(status, ", ") | rename status as search]
subsearch
search index="tutorial" sourcetype=access_combined_wcookie | stats values(status) as status | eval status=mvjoin(status, ", ") | rename status as search
will generate list of fields ( 200, 4004, 500,..) that predict command will take an generate prediction from.
Just an idea....
... View more