Splunk® Machine Learning Toolkit

User Guide

This documentation does not apply to the most recent version of Splunk® Machine Learning Toolkit. For documentation on the most recent version, go to the latest release.

Custom visualizations in the Machine Learning Toolkit

The Splunk Machine Learning Toolkit includes several reusable custom visualizations that you can use in your own dashboards. Each visualization expects data in a certain format with certain fields, that you can see in the syntax portion of the visualization descriptions.

Custom visualization workflow

Follow these steps to apply a custom visualization to your data:

  1. Run a search from the Search page in the Splunk Machine Learning Toolkit or the default Search & Reporting app on the Splunk platform.

  2. Click the Visualization tab, then click the menu at the top left to display available visualizations.

    This image shows the Search page of the Machine Learning Toolkit. Four tabs are available to view on this page including Events, Patterns, Statistics and Visualization. The Visualization tab is selected. Ther are several visualizations to choose from. In this example the Bar Chart is selected.
  3. Select a visualization.

You can use these custom visualizations on any Splunk platform instance on which the Splunk Machine Learning Toolkit is installed.

Many of these visualizations also display within the Machine Learning Toolkit Assistants. For more information on step-by-step Assistant options, see MLTK guided workflows.

3D Scatter Plot

3D Scatterplot.png

Use the 3D Scatter Plot to see patterns in your data. Look for clusters of similar data points, or drill down to identify singular data points.

Users upgrading to version 4.4.0 of the MLTK where a custom theme is in place for the 3D Scatter Plot must change the 3D Scatter Plot background color format setting to the new option of Auto for the visualization to adhere to your global light/ dark Splunk dashboard theme.

Search fragment 

search_fragment = | table clusterId x y z [clusterColor]

Syntax 

| eval clusterColor = case(clusterId=0, "teal", clusterId=2, "#09B1DF") 
| table clusterId x y z clusterColor

The clusterColor parameter is optional. The clusterColor parameter supports written color names or any hex color code. To review the list of supported color names, see the GitHub bahamas10 css color names. If no clusterColor parameter is provided the scatter plot uses default css colors supported in all modern web browsers.

The | table clusterId x y z line must be provided for the visualization to render properly.

Example

The following example uses 3D Scatter Plot on a test set. 

| inputlookup firewall_traffic.csv 
| eval clusterId=serial_number, x=bytes_received, y=bytes_sent, z=packets_received, clusterColor = case(clusterId="sn_0009C101998", "#56BD93")
| table clusterId x y z clusterColor

Example output

The following example shows 3D Scatter Plot on a test set.

This image shows how the Visualizations tab of the toolkit and how the 3D scatter plot visualization renders using the example SPL.

Boxplot Chart

Box Plot Chart.png

Use the Boxplot Chart to show the minimum, lower quartile, median, upper quartile, and maximum of each field.

Boxplot requires the input of the macro | `boxplot` in order to render. Failing to include the macro displays an error.

Search fragment 

search_fragment = | boxplot  ...

The box plot chart visualization expects five rows corresponding to min, max, median, lower quartile and upper quartile, in any order.

  • exactperc25 is the lower quartile
  • exactperc75 is the upper quartile

Example

The following example uses Boxplot Chart on a test set. 

 | inputlookup app_usage.csv  | `boxplot`

Example output

The following image shows Boxplot Chart on a test set.

This image shows the Boxplot Chart visualization rendered for a time frame of the last 24 hours taken from the Showcase example to Cluster Behavior by App Usage.

Distribution Plot

Dist Plot viz.png

Use the Distribution Plot to show the output of the DensityFunction algorithm. This visualization can be called with either the fit or apply commands.

This visualization requires the use of fit DensityFunction or apply in combination with show_density=True show_options="feature_variables, split_by, params".

Search fragment 

search_fragment = | fit DensityFunction <field> [by "<fields>"]
show_density=True
show_options="feature_variables, split_by, params"

Example

The following example uses Distribution Plot on a test set. 

... | fit DensityFunction "quantity" by "shop_id" dist=auto threshold=0.01 show_density=True show_options="feature_variables,split_by,params"...

Example output

The following example shows Distribution Plot on a test set.

This image shows the Distribution Plot visualization portion of a search within the Machine Learning Toolkit. The plot shows data across five different shops as in the example data.

Downsampled Line Chart

MLApp Modviz lines.png

Use the Downsampled Line Chart to show values and trends over time implementing downsampling to show large numbers of points.

Search fragment 

search_fragment = | table <x_axis> <y_axis_1> <y_axis_2> ...

Example

The following example uses Downsampled Line Chart on a test set. 

... | table _time, "median_house_value", "predicted(median_house_value)" ...

Example output

The following image shows the Actual vs. Predicted Line Chart and the Residuals Line Chart that are also available when using the Predict Numeric Fields Assistant.

This image shows the Actual vs. Predicted Line Chart and the Residuals Line Chart visualizations taken from the Showcase example to Predict Server Power Consumption.

Forecast Chart

MLApp Modviz forecast.png

Use the Forecast Chart to show the forecasted value for data This visualization is available in the Forecast Time Series Assistant and Smart Forecasting Assistant, which use different macros to produce the output:

  • The Forecast Time Series Assistant uses the fit or predict commands with the ARIMA algorithm.
  • The Smart Forecasting Assistant uses the fit command with the StateSpaceForecast algorithm.

Search fragment 

search_fragment = | timechart count [by comparison_category] | modvizpredict (<field>, <algorithm>, <future_timespan>, <holdback>, <confidence_interval>)

Syntax 

 | fit ARIMA [_time] <field_to_forecast>  order=<int>-<int>-<int> [forecast_k=<int>] [conf_interval=<int>] [holdback=<int>] | `forecastviz(<forecast_k>, <holdback>, <field_to_forecast>, <conf_interval>)`

 | fit StateSpaceForecast variable_name1 [variable_name2] [variable_name3] [variable_name4] [variable_name5] output_metadata=true [conf_interval=<int>] | `smartforecastviz(<variable_name1> [,<variable_name2>] [, <variable_name3] [, <variable_name4] [, <variable_name5>])`

Examples

The following examples use Forecast Chart on a test set. 

| inputlookup exchange.csv | fit ARIMA _time rate holdback=5 conf_interval=95 order=1-0-1 forecast_k=10 as prediction | `forecastviz(10, 5, "rate", 95)`

| inputlookup app_usage.csv | fields CRM ERP Expenses | fit StateSpaceForecast CRM ERP output_metadata=true holdback=0 forecast_k=50 conf_interval=50 into app_usage_model | `smartforecastviz(CRM, ERP)`

Example output

The following image shows the Forecast Chart on test data.

This screen capture shows the Forecast Chart visualization output using CRM, ERP, and Expenses test data.

Heatmap Plot

MLTK heatmap viz.png

Use the Heatmap Plot to show data values as colors in a table matrix.

Search fragment 

search_fragment = | `confusionmatrix(<x_axis>, <y_axis>)`

Example

The following example uses Heatmap Plot on a test set. 

| inputlookup firewall_traffic.csv | head 50000  | fit AutoPrediction "has_known_vulnerability" from "bytes_received" "packets_received" "packets_sent" "bytes_sent" "used_by_malware" test_split_ratio=0.3 into "default_model_name" | eval "_split"=case('_split'="Test", "Testing", '_split'="Training", "Training") | where '_split'="Testing" | `confusionmatrix("has_known_vulnerability", "predicted(has_known_vulnerability)")`

Example output

The following example shows Heatmap Plot on a test set.

This screen capture shows the Heatmap Plot as taken from the Showcase example to Predict the Presence of Vulnerabilities.

Histogram Chart

MLApp Modviz histogram.png

Use the Histogram Chart to show continuous data as bucketed by the bin command.

Search fragment 

search_fragment = | `histogram(<field, bins>)`

Example

The following example uses Histogram Chart on a test set. 

... | bin residual bins=100 ...

Example output

The following image shows the Residuals Histogram on a test set.

This screen capture shows the Residuals Histogram as taken from the Showcase example to Predict VPN Usage.

Outliers Chart

MLApp Modviz outliers.png

Use the Outliers Chart to show the acceptable range for a value and to highlight the points that are outside of this range.

Search fragment 

search_fragment = | table _time, <outlier_variable>, <lower_bound>, <upper_bound>

Example

The following example uses Outliers Chart on a test set. 

... | table _time, quantity, lowerBound, upperBound, isOutlier ...

Example output

The following image shows the Outliers Chart on a test set.

This screen capture shows the Data and Outliers Chart as taken from the Showcase example to Detect Cyclical Outliers in Logins.

Scatter Line Chart

MLApp Modviz scatterline.png

Use the Scatter Line Chart to show the relationships between discrete values in two dimensions, as well as an additional identity (x=y) line.

Serch fragment 

search_fragment = | table <x_axis> <y_axis>

Example

The following example uses Scatter Line Chart on a test set. 

... | table "median_house_value" "predicted(median_house_value)" ...

Example output

The following image shows Scatter Chart on a test set.

This screen capture shows the Actual vs. Predicted Scatter Chart as taken from the Showcase example to Predict Future Logins.

Scatterplot Matrix

MLApp scatterplotmatrix.png

Use the Scatterplot Matrix to show the relationships between discrete values in multiple dimensions.

All field values must be numeric in order to render the Scatterplot Matrix.

Search fragment 

search_fragment = | table <name_category>, <dimension_1>, <dimension_2>, <dimension_3> ...

Example

The following example uses Scatterplot Matrix on a test set. 

... | table cluster, "avg_rooms_per_dwelling", "business_acres", "median_house_value" ...

Example output

The following example shows the Scatterplot Matrix on a test set.

screen capture shows the Scatterplot Matrix as generated from the Showcase example data to Cluster Neighborhoods by Properties.

Last modified on 14 June, 2023
Search macros in the Machine Learning Toolkit   Algorithms in the Machine Learning Toolkit

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters