Models
The Splunk Machine Learning Toolkit (MLTK) provides custom search commands that use model files to store the results of running a machine learning algorithm on one dataset so that it can be applied later on another dataset.
Models are Splunk platform knowledge objects with configurable sharing and permissions.
Creating and using models
Models are created using the fit command and applied to datasets using the apply command. For more details, see Search commands for machine learning.
Namespacing and permissions
By default, MLTK models created with the fit command are created in the namespace of the user who ran the search command.
Managing model permissions
Navigate to Settings > Lookups to access or update MLTK knowledge object permissions. Model files on this page are prefixed with "__mlspl_". For example, a model named "my_model" is contained in the "__mlspl_my_model.csv" knowledge object.
See Manage knowledge object permissions in the Knowledge Manager Manual for more details.
You can also prefix model names to manage permissions by using the fit, apply, summary, and deletemodel custom search commands:
| Prefix | SPL command(s) | Result |
|---|---|---|
| No prefix |
|
The fit command creates the model in the user's namespace.
|
| No prefix |
|
These commands use the first available model with the specified <model_name>.If a model with this name is available in both the user's private namespace and the shared application namespace, the model in the user's private namespace is used. If a model with this name is available only in the shared namespace, it is used. |
app:
|
|
The fit command saves the model into the shared application namespace.By default, only the admin and power roles can save models into the shared application namespace. |
app:
|
|
These commands use the model from the shared application namespace even if a model with the same name exists in the user's private namespace. |
The "deletemodel" command follows standard Splunk plaftorm namespace rules. If the specified model name exists in the shared app namespace but not in the user's private namespace, the shared model is deleted if the user has write permissions on it.
Sharing models from other Splunk apps
The MLTK can access pre-trained models provided by other Splunk apps, provided that:
- The model to be shared has its sharing level set to "global" using standard knowledge object access settings. See "Manage knowledge object permissions: Make an object available to users of all apps" in the Knowledge Manager Manual.
- The model to be shared does not have the same name as a model that already exists in the MLTK.
For more information about building custom Splunk apps, see the Splunk developer portal.
Upgrading from MLTK versions 2.2 and earlier
Prior to MLTK version 2.3, models were created in the shared application namespace. By default, all users could read from them and write to them.
Model namespacing and permissions have changed in version 2.3, as described in Namespacing and permissions.
| SPL command(s) | Result on MLTK versions 2.3 and later | Result on MLTK versions 2.2 and earlier |
|---|---|---|
fit... into <new_model_name> |
Creates a new model in the user's private namespace | Creates a new model in the shared application namespace |
While all users can read models created in earlier versions of the MLTK, only admin and power roles can write to those models.
| Algorithm permissions | Custom visualizations |
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 2.3.0, 2.4.0, 3.0.0, 3.1.0
Download manual
Feedback submitted, thanks!