Splunk® Machine Learning Toolkit

User Guide

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Machine Learning Toolkit. Click here for the latest version.
Acrobat logo Download topic as PDF


The Splunk Machine Learning Toolkit (MLTK) provides custom search commands that use model files to store the results of running a machine learning algorithm on one dataset so that it can be applied later on another dataset.

Models are Splunk platform knowledge objects with configurable sharing and permissions.

Creating and using models

Models are created using the fit command and applied to datasets using the apply command. For more details, see Search commands for machine learning.

Namespacing and permissions

By default, MLTK models created with the fit command are created in the namespace of the user who ran the search command.

Managing model permissions

Navigate to Settings > Lookups to access or update MLTK knowledge object permissions. Model files on this page are prefixed with "__mlspl_". For example, a model named "my_model" is contained in the "__mlspl_my_model.csv" knowledge object.

See Manage knowledge object permissions in the Knowledge Manager Manual for more details.

You can also prefix model names to manage permissions by using the fit, apply, summary, and deletemodel custom search commands:

Prefix SPL command(s) Result
No prefix
  • fit ... into <model_name>
The fit command creates the model in the user's namespace.
No prefix
  • apply <model_name>
  • summary <model_name>
  • deletemodel <model_name>
These commands use the first available model with the specified <model_name>.

If a model with this name is available in both the user's private namespace and the shared application namespace, the model in the user's private namespace is used.

If a model with this name is available only in the shared namespace, it is used.
  • fit ... into app:<model_name>
The fit command saves the model into the shared application namespace.

By default, only the admin and power roles can save models into the shared application namespace.
  • apply app:<model_name>
  • summary app:<model_name>
  • deletemodel app:<model_name>
These commands use the model from the shared application namespace even if a model with the same name exists in the user's private namespace.

The "deletemodel" command follows standard Splunk plaftorm namespace rules. If the specified model name exists in the shared app namespace but not in the user's private namespace, the shared model is deleted if the user has write permissions on it.

Sharing models from other Splunk apps

The MLTK can access pre-trained models provided by other Splunk apps, provided that:

For more information about building custom Splunk apps, see the Splunk developer portal.

Upgrading from MLTK versions 2.2 and earlier

Prior to MLTK version 2.3, models were created in the shared application namespace. By default, all users could read from them and write to them.

Model namespacing and permissions have changed in version 2.3, as described in Namespacing and permissions.

SPL command(s) Result on MLTK versions 2.3 and later Result on MLTK versions 2.2 and earlier
fit... into <new_model_name>
Creates a new model in the user's private namespace Creates a new model in the shared application namespace

While all users can read models created in earlier versions of the MLTK, only admin and power roles can write to those models.

Last modified on 11 April, 2018
Algorithm permissions
Manage models

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 2.3.0, 2.4.0, 3.0.0, 3.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters