Splunk® Machine Learning Toolkit

User Guide

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Machine Learning Toolkit. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Cluster Numeric Events

The Cluster Numeric Events assistant partitions events with multiple numeric fields into groups of events based on the values of those fields. The groupings aren't known in advance, therefore, the learning is unsupervised.


This visualization shows four clusters, differentiable by color.


Algorithms

The Cluster Numeric Events assistant uses the following algorithms:

Workflow

To cluster numeric events, input data, optionally perform preprocessing, then select the algorithm to use for clustering and other parameters as necessary.

  1. Enter a search.
  2. A data preview is generated so you can preview the data.

  3. Add preprocessing steps if desired.
  4. See Preprocessing for information.

  5. Select the algorithm to use for clustering.
  6. Specify the fields to use.
  7. If your data has been preprocessed, you should choose from the preprocessed fields.

  8. For K-means, Birch, and Spectral Clustering, specify the number of clusters to use. For DBSCAN, specify a value between 0 and 1 for eps (the size of the neighborhood).
  9. Smaller numbers result in more clusters.

  10. Name the model if you want to save it.
  11. You must specify a name for the model in order to schedule clustering or schedule an alert. This name and the settings you select are saved in the history in the Load Existing Settings tab. You cannot save a model if you use the DBSCAN or Spectral Clustering algorithm.

  12. Click Cluster.

Interpret and validate

After the numeric events are clustered, review the cluster visualization. The fields included in the visualization are listed. You can add and remove fields, and then click Visualize to change the visualization.

You can drag a selection rectangle around some of the points in a plot to see the corresponding points on the other plots.

MLApp selectionrectangle.png

The visualization displays a maximum of 1000 points, 20 series and 6 fields (1 label and 5 variables).

Deploy clustering

  1. Click the icon in the right part of the Cluster button to run the clustering on a schedule.

  2. Mla cluster schedule.png
    You can set up a regular interval to run clustering, such as every week. After saving the schedule, you can access it from the Scheduled Jobs > Scheduled Training menu. You cannot schedule clustering if you use the DBSCAN or Spectral Clustering algorithms or if you do not specify a name for the model.
  3. Next to the Cluster, click the Open in Search to open a new Search tab, filled out with the search query that was used to fit the model.
  4. Click Show SPL next to the Cluster button to see the search query that was used for the clustering with comments that contain explanations.
  5. You can use this same query on a different data set.

  6. Click the Schedule Alert button beneath the cluster visualization to set up an alert that triggers when the number of events in a cluster exceeds a threshold you specify.
  7. After you save the alert, you can access it from the Scheduled Jobs > Alerts menu. For more information about alerts, see Getting started with alerts in the Splunk Enterprise Alerting Manual. Alerts cannot be scheduled if you use the DBSCAN or Spectral Clustering algorithms or if you do not specify a name for the model.

Last modified on 11 April, 2018
PREVIOUS
Forecast Time Series
  NEXT
Preprocessing

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 2.4.0, 3.0.0, 3.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters