Splunk® Machine Learning Toolkit

User Guide

Download manual as PDF

This documentation does not apply to the most recent version of MLApp. Click here for the latest version.
Download topic as PDF

Predict Categorical Fields

The Predict Categorical Fields assistant displays a type of learning known as classification. A classification algorithm learns the tendency for data to belong to one category or another based on related data. The classification table below shows the actual state of the field versus predicted state of the field. The yellow bar highlights an incorrect prediction.

This classification table shows the actual state versus predicted state of the field.


The Predict categorical Fields assistant uses the following classification algorithms:

Fit a model to predict a categorical field


  • For information about preprocessing, see Preprocessing in the Splunk Machine Learning ML-SPL API Guide.
  • If you are not sure which algorithm to choose, start with the default algorithm, Logistic Regression, or see Algorithms.


  1. Run a search.
  2. (Optional) Add preprocessing steps.
  3. Select the algorithm to use to predict field values.
  4. Select the categorical field you want to predict.
  5. This list of fields is populated by the search you just ran.

  6. Select a combination of fields you want to use to predict the categorical field.
  7. This list contains all of the fields from your search except for the field you selected to predict.

  8. Specify how much of your data to use for training (fitting the data model) versus testing (validating the model afterwards).
  9. The data is divided randomly into two groups. The default split is 50/50.

  10. Fill out any additional fields required by the algorithm you selected.
  11. To get information about a field, hover over it to see a tooltip.

  12. Enter a name in the Save the model as field. The model is saved when you click outside the field.
  13. You must specify a name for the model in order to fit a model on a schedule or schedule an alert. You can find your model in the saved history.

  14. Click Fit Model.

Interpret and validate

After you fit the model, review the prediction results and visualizations to see how well the model predicted the categorical field. In this analysis, metrics are related to misclassifying the field, and are based on false positives and negatives, and true positives and negatives.

Result Application
Precision This statistic is the percentage of the time a predicted class is the correct class.
Recall This statistic is the percentage of time that the correct class is predicted.
Accuracy This statistic is the overall percentage of correct predictions.
F1 This statistic is the the weighted average of precision and recall, based on a scale from zero to one. The closer the statistic is to one, the better the fit of the model.
Classification Results (Confusion Matrix) This table charts the number of actual results against predicted results, also known as a Confusion Matrix. The shaded diagonal numbers should be high (closer to 100%), while the other numbers should be closer to 0.

Refine the model

After you validate the model, you can refine the model by adjusting which fields you use to predict the categorical field and fit the model again:

  • Remove fields that might generate a distraction.
  • Try adding more fields. In the Load Existing Settings tab, which displays a history of models you have fitted, sort by the statistics to see which combination of fields yielded the best results.

Deploy the model

After you validate and refine the model, deploy it.

  1. Click the icon to the right of Fit Model to schedule model training.
  2. Mlapp fitmodelscheduleicon.jpg

    You can set up a regular interval to fit the model, such as every week.

  3. (Optional) To access it, click Scheduled Jobs > Scheduled Training in the menu.
  4. Click Open in Search to open a new Search tab.
  5. This shows you the search query that uses all data, not just the training set.

  6. Click Show SPL to see the search query that was used to fit the model.
  7. For example, you could use this same query on a different data set.

  8. Click the Schedule Alert to set up an alert that is triggered when the predicted value meets a threshold you specify.
  9. After you save the alert, you can access it from the Scheduled Jobs > Alerts menu.
  10. For more information about alerts, see Getting started with alerts in the Splunk Enterprise Alerting Manual.
Predict Numeric Fields
Detect Numeric Outliers

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 2.4.0, 3.0.0, 3.1.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters