Splunk® Machine Learning Toolkit

User Guide

This documentation does not apply to the most recent version of Splunk® Machine Learning Toolkit. For documentation on the most recent version, go to the latest release.

Install the Splunk Machine Learning Toolkit

The Splunk Machine Learning Toolkit (MLTK) enables users to create, validate, manage, and operationalize machine learning models through a guided user interface. Use the following directions to install the MLTK on to your system(s).

Requirements

The current version of the Splunk Machine Learning Toolkit is 3.4.0. In order to successfully run this version, the following is required:

Two previous versions of the MLTK (3.2.0 and 3.3.0) will successfully operate on versions 1.2 or 1.3 of the Python for Scientific Computing add-on. However, users cannot access new features in the MLTK without upgrading to the latest version of the toolkit. Version 3.4.0 of the toolkit requires the upgrade to version 1.3 of PSC.

Specific version dependencies:

MLTK Version PSC Version
3.1 1.2
3.2 1.2 or 1.3
3.3 1.2 or 1.3
3.4 1.3

If you have written any custom algorithms that rely on the PSC libraries, upgrading to version 1.3 of the PSC library will impact those algorithms. You will need to re-train any models (re-run the search that used the fit command) using those algorithms after you upgrade PSC.

Splunk Cloud deployments

Follow the appropriate directions below for your instance of self-service or managed Splunk Cloud.

Splunk Cloud trial and self-service Splunk Cloud

Install the Python for Scientific Computing add-on and the Splunk Machine Learning Toolkit app to your self-service instance of Splunk Cloud using the app browser in Splunk Cloud.

  1. Log in to your Splunk Cloud instance.
  2. From the Splunk Web home screen, click on the gear icon next to Apps in the left navigation bar.
  3. Click Browse more apps.
  4. Search for the Python for Scientific Computing add-on and install it.
  5. Search for the Splunk Machine Learning Toolkit app and install it.

Managed Splunk Cloud

Open a ticket with support and request the Python for Scientific Computing add-on and Splunk Machine Learning Tooklit app to be installed for you.

Splunk Enterprise deployments

Single instance deployment

Install the Python for Scientific Computing add-on and Splunk Machine Learning Toolkit app onto your single instance Splunk Enterprise.

  1. Install the Python for Scientific Computing add-on first (required).
  2. Install the Splunk Machine Learning Toolkit app.

To install an app or add-on in Splunk Web

  1. In Splunk Web, click on the gear icon next to Apps in the left navigation bar.
  2. On the Apps page, click Install app from file.
  3. Click Choose File, navigate to and select the package file for the app or add-on, then click Open.
  4. Click Upload.

To install an app or add-on from the command line

  • At the command line, enter the following.
  • Unix/Linux:
    ./splunk install app <path/packagename>
    Windows:
    splunk install app <path\packagename>
  • Alternatively, unpack/unzip the file then copy the app directory to $SPLUNK_HOME/etc/apps on Unix based systems or %SPLUNK_HOME%\etc\apps on Windows systems.

Distributed deployment

Use the tables below to determine where and how to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in a distributed deployment of Splunk Enterprise. Depending on your environment, you may need to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in multiple places.

Where to install Splunk Machine Learning Toolkit and Python for Scientific Computing

This table provides a reference for installing the Splunk Machine Learning Toolkit and Python for Scientific Computing to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Actions required / Comments
Search Heads Yes Yes Install Python for Scientific Computing and the Splunk Machine Learning Toolkit to all search heads where the Splunk Machine Learning Toolkit is used. Search heads must be running Splunk Enterprise 6.4 or greater.
Indexers Yes Conditional If you want to use the distributed apply feature of the Splunk Machine Learning Toolkit, install Python for Scientific Computing on all of your indexers. This feature is disabled by default. See Use your indexers to apply models for information. Indexers must be running Splunk Enterprise 6.3 or greater. The Splunk Machine Learning Toolkit does not need to be installed on the indexers to enable this functionality.
Heavy Forwarders Yes No These apps do not contain a data collection component.
Universal Forwarders Yes No These apps do not contain a data collection component.
Light Forwarders Yes No These apps do not contain a data collection component.

Distributed deployment feature compatibility

This table describes the compatibility of the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Actions required
Search Head Clusters Yes Search heads must be running Splunk Enterprise 6.4 or greater.
Indexer Clusters Yes If you want to use the distributed apply feature of the Splunk Machine Learning Toolkit, install Python for Scientific Computing on the indexers in your cluster. This feature is disabled by default. See Use your indexers to apply models for information. Indexers must be running Splunk Enterprise 6.3 or greater. The Splunk Machine Learning Toolkit does not need to be installed on the indexers in your cluster to enable this functionality.
Deployment Server Yes

Use your indexers to apply models

If you have more than one Splunk indexer and want to take advantage of the parallel computing power available on your standalone Splunk indexers or Splunk indexing cluster, you can configure your indexers to run the applycommand, a CPU-intensive task that applies machine-learning models.

Do the following:

  1. Install the Python for Scientific Computing add-on on all of your indexers.
  2. On each search head in your deployment, open the local mlspl.conf configuration file in a text editor:
    • $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/local/mlspl.conf on Unix based systems
    • %SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit\local\mlspl.conf on Windows systems.
    Create the mlspl.conf in the local directory if one does not exist.
  3. Copy the [default] stanza from the default mlspl.conf configuration file to the local version of the configuration file if this stanza is not present. The default mlspl.conf file is located at:
    • $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/default/mlspl.conf on Unix based systems
    • %SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit\default\mlspl.conf on Windows systems.
  4. Change the streaming_apply command to true as follows: streaming_apply = true

Use the deployment methodology of your choice to make these configuration changes.

Last modified on 14 September, 2018
About the Splunk Machine Learning Toolkit   Upgrade the Splunk Machine Learning Toolkit

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 3.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters