Install the Splunk Machine Learning Toolkit
Requirements
The Splunk Machine Learning Toolkit requires the following:
- Splunk Enterprise 6.4 or later or Splunk Cloud
- The Splunk Machine Learning Toolkit
- The Python for Scientific Computing add-on version 1.2 or later
Splunk Cloud deployments
Splunk Cloud trial and self-service Splunk Cloud
Install the Python for Scientific Computing add-on and the Splunk Machine Learning Toolkit app to your self-service instance of Splunk Cloud using the app browser in Splunk Cloud.
- Log in to your Splunk Cloud instance.
- From the Splunk Web home screen, click on the gear icon next to Apps in the left navigation bar.
- Click Browse more apps.
- Search for the Python for Scientific Computing add-on and install it.
- Search for the Splunk Machine Learning Toolkit app and install it.
Managed Splunk Cloud
Open a ticket with support and request the Python for Scientific Computing add-on and Splunk Machine Learning Tooklit app to be installed for you.
Splunk Enterprise deployments
Single instance deployment
Install the Python for Scientific Computing add-on and Splunk Machine Learning Toolkit app onto your single instance Splunk Enterprise.
- Install the Python for Scientific Computing add-on first (required).
- Install the Splunk Machine Learning Toolkit app.
To install an app or add-on in Splunk Web
- In Splunk Web, click on the gear icon next to Apps in the left navigation bar.
- On the Apps page, click Install app from file.
- Click Choose File, navigate to and select the package file for the app or add-on, then click Open.
- Click Upload.
To install an app or add-on from the command line
- At the command line, enter the following. Unix/Linux:
./splunk install app <path/packagename>Windows:
splunk install app <path\packagename>
$SPLUNK_HOME/etc/apps on Unix based systems or %SPLUNK_HOME%\etc\apps on Windows systems.Distributed deployment
Use the tables below to determine where and how to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in a distributed deployment of Splunk Enterprise. Depending on your environment, you may need to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in multiple places.
Where to install Splunk Machine Learning Toolkit and Python for Scientific Computing
This table provides a reference for installing the Splunk Machine Learning Toolkit and Python for Scientific Computing to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Actions required / Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install Python for Scientific Computing and the Splunk Machine Learning Toolkit to all search heads where the Splunk Machine Learning Toolkit is used. Search heads must be running Splunk Enterprise 6.4 or greater. |
| Indexers | Yes | Conditional | If you want to use the distributed apply feature of the Splunk Machine Learning Toolkit, install Python for Scientific Computing on all of your indexers. This feature is disabled by default. See Use your indexers to apply models for information. Indexers must be running Splunk Enterprise 6.3 or greater. The Splunk Machine Learning Toolkit does not need to be installed on the indexers to enable this functionality. |
| Heavy Forwarders | Yes | No | These apps do not contain a data collection component. |
| Universal Forwarders | Yes | No | These apps do not contain a data collection component. |
| Light Forwarders | Yes | No | These apps do not contain a data collection component. |
Distributed deployment feature compatibility
This table describes the compatibility of the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Actions required |
|---|---|---|
| Search Head Clusters | Yes | Search heads must be running Splunk Enterprise 6.4 or greater. |
| Indexer Clusters | Yes | If you want to use the distributed apply feature of the Splunk Machine Learning Toolkit, install Python for Scientific Computing on the indexers in your cluster. This feature is disabled by default. See Use your indexers to apply models for information. Indexers must be running Splunk Enterprise 6.3 or greater. The Splunk Machine Learning Toolkit does not need to be installed on the indexers in your cluster to enable this functionality. |
| Deployment Server | Yes |
Use your indexers to apply models
If you have more than one Splunk indexer and want to take advantage of the parallel computing power available on your standalone Splunk indexers or Splunk indexing cluster, you can configure your indexers to run the applycommand, a CPU-intensive task that applies machine-learning models.
Do the following:
- Install the Python for Scientific Computing add-on on all of your indexers.
- On each search head in your deployment, open the local
mlspl.confconfiguration file in a text editor:$SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/local/mlspl.confon Unix based systems%SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit\local\mlspl.confon Windows systems.
Create themlspl.confin the local directory if one does not exist. - Copy the
[default]stanza from the defaultmlspl.confconfiguration file to the local version of the configuration file if this stanza is not present. The defaultmlspl.conffile is located at:$SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/default/mlspl.confon Unix based systems%SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit\default\mlspl.confon Windows systems.
- Change the
streaming_applycommand totrueas follows:streaming_apply = true
Use the deployment methodology of your choice to make these configuration changes.
- For information about updating search head cluster members, see Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
- For information about updating peers in an indexer cluster, see Manage app deployment across all peers in the Managing Indexers and Clusters of Indexers manual.
| About the Splunk Machine Learning Toolkit | Upgrade the Splunk Machine Learning Toolkit |
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 2.3.0, 2.4.0, 3.0.0, 3.1.0
Download manual
Feedback submitted, thanks!