using eval on a field after using the predict func...

HattrickNZ · ‎05-07-2015

I have the follwoing search that does prediction, and what I want to do is add another column to this graph, in this case it is test=120000. This work as I would expect.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=120000

However I would like to get it to work using a field that is already in the dataset for example:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=field2
How do I do this?

I cannot get it to work, nothing shows up. I have even tried eval test=max(field2) but I am not sure if this can be done or is it my lack of understanding? I do not think I can place it as a parameter to predict as this will break my predict function.

EDIT1 Alternative method but same INCORRECT RESULT

I can actually put it as a parameter to the timechart, however it does not show any values for future dates which is what I am trying to achieve using the eval method.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 max(field2) as f2 | predict f1 as predict1 future_timespan=10 holdback=2

EDIT2 Alternative method but same INCORRECT RESULT
Another way to do it, in using appendcols, but it produces the same as the above 2 methods:

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | timechart max(field2) as f2 ]

here is a pic of what I am talking about: (I want the yellow line to continue for the whole timespan)

EDIT3 Alternative method but alomost CORRECT RESULT sogetting better

now this at least looks like I am getting somewhere.
I have to do an appendcols of a new predict function and then drop the upper* and lower* fields to get what I want.

The downside to this is that you lose interactivity with the graph, which I don't like, but it is almost acceptable.

... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | | timechart max(field2) as f2 | predict f2 as f2 future_timespan=10] | fields - upper* lower*

this is a pic of what I have now

HattrickNZ · ‎05-11-2015

my EDIT3 answer is the best I can do.

But surely there is a better way where the interactivity is not lost, I will await someone clever 🙂

HattrickNZ · ‎06-11-2015

further comment on EDIT3
maybe best to have holdback=1 on both predict functions so the graph lines up

HattrickNZ · ‎05-11-2015

put holdback=1 in both predict functions so they line up.

HattrickNZ · ‎05-11-2015

Comment on Edit3
need to add span=d timechart max(field2) as f2 to handle the ability to predict furter into the future
this also enables interactivity on the graph so all good.

But there must be a better way, I will wait...

using eval on a field after using the predict function

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...