Using the Splunk Machine Learning Toolkit

The Splunk Machine Learning Toolkit provides the following features:

• A Showcase of examples that help new users through the display of different sample datasets within each of the assistants for you to explore machine-learning concepts. Each end-to-end example pre-populates an assistant to demonstrate how to perform different types of machine learning analysis and prediction using best practices, with what ideal results would look like when using your own data.
• Experiments management framework, that manages your data source, algorithm used, and additional parameters to configure that algorithm. Add notes to your Experiment to better track your model adjustments, and look back at previous changes through the Experiments History tab. For details, see Experiments.
• Assistants that live within an Experiment, and make it easier for you to create machine learning models through a guided workflow interface. Each assistant offers a choice of algorithms to fit and apply a model, with visualizations to help you interpret the results. Assistants are used with your own data, and generate Splunk SPL for you.
• Search command extensions that have been added to the Splunk Search Processing Language (SPL) to perform machine learning analytics on data such as fitting and applying a model. In addition, commands to list, summarize, and delete learned models. For details, see Search commands for machine learning.
• Custom visualizations, which are reusable information graphics for viewing and analyzing data in a particular format. For details, see Custom visualizations.

The MLTK navigation bar

You will find seven tabs to select from along the orange MLTK bar including:

• Showcases: End-to-end examples that pre-populate the chosen assistant with a sample dataset, and demonstrate the results.
• Experiments: An Experiment is an exclusive knowledge object in Splunk that keeps track of its settings and history, as well as its affiliated alerts and scheduled trainings.
• Search: Use your SPL knowledge to perform machine learning analytics on your chosen data.
• Models: Models are Splunk platform knowledge objects with configurable sharing and permissions.
• Legacy: Click here for assistants, alerts and scheduled trainings made in version 3.1 or earlier
• Docs: Clicking here will take you out of the tool, and over to the documentation manual on MLTK
• Video Tutorials: Clicking here will take you out of the tool, and over to a great series of videos on all things MLTK

Explore the Showcase examples

If you want to jump right in and explore, go to the Showcase page and open the examples, organized by type of analytic. Each example uses a sample dataset to demonstrate aspects of machine learning. By default all examples are displayed, but you can filter them by use case:

• IT
• Security
• Business
• Internet of things

When you click an example, the corresponding assistant is then populated with dataset options that correspond to the analytic.

For more about each example, see Showcase examples.

About the Experiments management framework

Experiments have been introduced to the Machine Learning Toolkit for version 3.2. Experiments are an MLTK exclusive knowledge object within Splunk that keep track of the settings and history in the assistant, as well as any affiliated alerts and scheduled trainings.

Each experiment contains the following sections that vary depending on the type of machine learning analytic being performed:

• Create or Detect: Follow the workflow laid out in the experiment to create a new model or forecast, or detect outliers. The workflow depends on the type of analytic but usually includes performing a lookup on a dataset, selecting a field to predict or analyze, and selecting fields or values to use for performing different types of analysis.
• Experiment History tab: Each time you use an experiment, a history is captured of the settings used. Compare the effects of different searches, algorithms and parameters, and identify the best choices for your use.
• Raw Data Preview: This section is displayed for predictions and forecasts to show you the data that is being used.
• Validate: Use the tables and visualizations to determine how well the model was fitted, how well outliers were detected, or how well a forecast performed.
• Deploy: Click the buttons beneath the visualizations and tables to see different ways to use the analysis. For example, you can open the search in the Search app, show the SPL, or create an alert.

To learn more about using this feature, see For further details about the assistants themselves, see: Experiments

• Predict Numeric Fields
• Predict Categorical Fields
• Detect Numeric Outliers
• Detect Categorical Outliers
• Forecast Time Series
• Cluster Numeric Events

Accessing content from your earlier (version 3.1 or below) version of MLTK

Any Models you previously created remain under the Models tab. For your older assistants, alerts and scheduled trainings, look under the Legacy tab on the MLTK navigation bar.

For a more detailed information of changes to between versions, see What's new

Splunk Machine Learning Toolkit files

To view the source code for the Splunk Machine Learning Toolkit app, see $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit on Unix-based systems or %SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit on Windows systems.

Please note: MLTK is not open source. The code is provided as an example and for educational purposed only.