Models
The Splunk Machine Learning Toolkit (MLTK) provides custom search commands for machine learning. These commands use model files to store machine learning algorithm results on a dataset. This model can then be applied to other datasets.
Models are Splunk platform knowledge objects with configurable sharing and permissions.
Under the Models tab of the MLTK navigation bar, access any models created using the fit command on the Search tab, or those made through the Classic layout of the guided modeling Assistants.
Creating and using models
Models are created using the fit command and applied to datasets using the apply command. For more details, see:
Namespacing and permissions
By default, MLTK models created with the fit command are created in the namespace of the user who ran the search.
Managing model permissions within Lookups
Model permissions can be managed from within the Models page, or via Lookups.
Navigate to Settings > Lookups to access or update MLTK knowledge object permissions. Model files on this page are prefixed with __mlspl_. For example, a model named my_model is contained in the __mlspl_my_model.csv knowledge object.
See Manage knowledge object permissions in the Knowledge Manager Manual for more details.
You can also prefix model names to manage permissions by using the fit, apply, summary, and deletemodel custom search commands:
| Prefix | SPL command(s) | Result |
|---|---|---|
| No prefix |
|
The fit command creates the model in the user's namespace.
|
| No prefix |
|
These commands use the first available model with the specified <model_name>.If a model with this name is available in both the user's private namespace and the shared application namespace, the model in the user's private namespace is used. If a model with this name is available only in the shared namespace, it is used. |
app:
|
|
The fit command saves the model into the shared application namespace.By default, only the admin and power roles can save models into the shared application namespace. |
app:
|
|
These commands use the model from the shared application namespace even if a model with the same name exists in the user's private namespace. |
The deletemodel command follows standard Splunk plaftorm namespace rules. If the specified model name exists in the shared app namespace but not in the user's private namespace, the shared model is deleted if the user has write permissions on it.
Sharing models from other Splunk apps
The MLTK can access pre-trained models provided by other Splunk apps, provided that:
- The model to be shared has its sharing level set to "global" using standard knowledge object access settings. See Make an object available to users of all apps in the Knowledge Manager Manual.
- The model to be shared does not have the same name as a model that already exists in the MLTK.
For more information about building custom Splunk apps, see the Splunk developer portal.
Upgrading from MLTK versions 2.2 and earlier
Prior to MLTK version 2.3, models were created in the shared application namespace. By default, all users could read from them and write to them.
Model namespacing and permissions have changed in version 2.3, as described in Namespacing and permissions.
| SPL command(s) | Result on MLTK versions 2.3 and later | Result on MLTK versions 2.2 and earlier |
|---|---|---|
fit... into <new_model_name> |
Creates a new model in the user's private namespace | Creates a new model in the shared application namespace |
While all users can read models created in earlier versions of the MLTK, only admin and power roles can write to those models.
| Cluster Numeric Events Experiment workflow | Manage models |
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0
Download manual
Feedback submitted, thanks!