Splunk® Machine Learning Toolkit

User Guide

This documentation does not apply to the most recent version of Splunk® Machine Learning Toolkit. For documentation on the most recent version, go to the latest release.

Using the Splunk Machine Learning Toolkit

The Splunk Machine Learning Toolkit lets users create analytics in six useful areas: Predict Numeric Fields, Predict Categorical Fields, Detect Numeric Outliers, Detect Categorical Outliers, Forecast Time Series, and Cluster Numeric Events.

Get started by exploring interactive examples that step you through the entire process for IT, security, business and IoT use cases. When ready choose an Experiment Assistant to guide in creating your own custom built model.  You also have complete access to the underlying SPL commands generated by the toolkit. This gives you the freedom to further customize your model and to operationalize it in any way desired. 

The Splunk Machine Learning Toolkit provides the following features:

  • A Showcase of different sample datasets to help new users explore machine-learning concepts. Each end-to-end example pre-populates an Assistant to demonstrate how to perform different types of machine learning analysis and prediction using best practices, including what ideal results would look like when using your own data. For details see Showcase examples.
  • Experiments manage your data source, selected algorithm, and additional parameters used to configure that algorithm. The Experiment Management Framework (EMF) brings all aspects of a monitored machine learning pipeline into one interface with automated model versioning and lineage baked in. Add notes to your Experiment to better track your model adjustments, and look back at previous changes through the Experiments History tab. The Assistants that live within an Experiment make it easy for you to create machine learning models through a guided workflow interface. Each Assistant offers a choice of algorithms to fit and apply a model, with visualizations to help you interpret the results. Assistants are used with your own data, and generate Splunk SPL for you. For details, see Experiments.
  • Search command extensions that have been added to the Splunk Search Processing Language (SPL) to perform machine learning analytics on data such as fitting and applying a model. In addition, commands to list, summarize, and delete learned models. For details, see Search commands for machine learning.
  • Custom visualizations, which are reusable information graphics for viewing and analyzing data in a particular format. For details, see Custom visualizations.

The MLTK navigation bar

You will find seven tabs to select from along the MLTK navigation bar including:

  • Showcases: End-to-end examples that pre-populate the chosen assistant with a sample dataset, and demonstrate the results.
  • Experiments: An Experiment is an exclusive knowledge object in Splunk that keeps track of its settings and history, as well as its affiliated alerts and scheduled trainings.
  • Search: Use your SPL knowledge to perform machine learning analytics on your chosen data.
  • Models: Access any models created using the fit command on the Search tab, or those made through the classic assistants. Model related details such as Model Name, Algorithm Used and Sharing settings are visible.
  • Classic: Click here for alerts and scheduled trainings that were created in the MLTK version 3.1 or below, as well as the legacy layout of the 6 guided model building Assistants.
  • Settings: Users with admin access can work within this interface to configure the settings of the fit and apply commands. Make changes for all algorithms, or for an individual algorithm.

The default settings will be applied to each algorithm unless it has its own value for a particular setting. To ensure you know the impact of making changes to these settings, we recommend adding the ML-SPL Performance App for the Machine Learning Toolkit to your setup via Splunkbase.

  • Docs: Clicking here takes you out of the toolkit, and over to the documentation manual on the MLTK
  • Video Tutorials: Clicking takes you out of the toolkit, and over to a great series of videos on the MLTK

Splunk Machine Learning Toolkit files

You can view the source code for the Splunk Machine Learning Toolkit app.

For Unix-based systems see $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit
For Windows systems see %SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit

Please note: MLTK is not open source. The code is provided as an example and for educational purposes only.

Subdirectory Description
appserver/static and /bin Contains the underlying code files (Python, JavaScript, CSS, and images).
/default Contains configuration and dashboard files.
/lookups Contains the sample datasets used in the Showcase examples, along with more information about the datasets and their licenses.
Last modified on 30 May, 2019
Upgrade the Machine Learning Toolkit   Showcase examples

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 4.0.0, 4.1.0, 4.2.0, 4.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters