Install the Machine Learning Toolkit

The Splunk Machine Learning Toolkit (MLTK) enables users to create, validate, manage, and operationalize machine learning models through a guided user interface. Use the following directions to install the MLTK onto your system(s).

Requirements

In order to successfully run the Machine Learning Toolkit, the following is required:

• Splunk Enterprise 8.1.x or higher, or Splunk Cloud Platform.
• Installation of the correct version of the Python for Scientific Computing (PSC) add-on from Splunkbase.
• Installation of the Splunk Machine Learning Toolkit app from Splunkbase.

Choose the appropriate version of the Python for Scientific Computing (PSC) add-on for your environment:

• Mac OS
• Windows 64-bit
• Linux 64-bit

Version 4.0.0 of the PSC add-on is only available for MLTK version 5.3.3. Users upgrading to version 4.0.0 of the PSC add-on must follow some additional installation steps. See Install version 4.0.0 of the Python for Scientific Computing add-on.

Specific version dependencies

For version information that includes MLTK, the PSC add-on, Python, and Splunk Enterprise, see Machine Learning Toolkit version dependencies matrix.

MLTK version	PSC version
5.3.3	3.0.2, 3.1.0, 4.0.0, 4.1.0, or 4.1.2
5.3.1	3.0.0, 3.0.1, or 3.0.2
5.3.0	3.0.0, 3.0.1, or 3.0.2
5.2.2	2.0.0, 2.0.1, or 2.0.2
5.2.1	2.0.0, 2.0.1, or 2.0.2
5.2.0	2.0.0, 2.0.1, or 2.0.2
5.1.0	2.0.0, 2.0.1, or 2.0.2
5.0.0	2.0.0, 2.0.1, or 2.0.2
4.5.0	1.4
4.4.2	1.3 or 1.4
4.4.1	1.3 or 1.4
4.4.0	1.3 or 1.4
4.3.0	1.3 or 1.4
4.2.0	1.3 or 1.4
4.1.0	1.3
4.0.0	1.3
3.4.0	1.3
3.3.0	1.2 or 1.3
3.2.0	1.2 or 1.3
3.1.0	1.2

Splunk Cloud Platform deployments

Follow the appropriate directions for your instance of Splunk Cloud Platform.

Splunk Cloud Platform trial

Install the Python for Scientific Computing add-on and the Splunk Machine Learning Toolkit app to your instance of Splunk Cloud Platform trial:

1. Log into your Splunk Cloud Platform trial instance.
2. From the Splunk Web home screen, click on the gear icon next to Apps in the left navigation bar.
3. Click Browse more apps.
4. Search for the Python for Scientific Computing add-on and install it.
5. Search for the Splunk Machine Learning Toolkit app and install it.

Splunk Cloud Platform

Open a ticket with support and request an installation of the Python for Scientific Computing add-on and Splunk Machine Learning Toolkit app..

Splunk Enterprise single instance deployments

Follow these directions for single instance deployments.

Install the Python for Scientific Computing add-on

1. In Splunk Web, click on the gear icon next to Apps in the left navigation bar.
2. On the Apps page, click Install app from file.
3. Click Choose File, navigate to and select the package file for the PSC add-on, then click Open.
4. Click Upload.

On some Windows installations, installing PSC through the Splunk Manage Apps user interface results in an error. This error is usually benign and can be ignored. In some cases it is necessary to manually unpack the package in the apps directory to get past the error.

Install version 4.0.0 of the Python for Scientific Computing add-on

Version 4.0.0 of the Python for Scientific Computing (PSC) add-on provides updates and adds several libraries in the package. In particular, Pytorch, cpuonly, transformers, onnxruntime, pydantic, and watchdog.

The build size of the PSC add-on version 4.0.0 might exceed the default value of max_upload_size which can prevent you from installing the package using the Install app from file option under Manage Apps.

Perform the following steps if you are installing the PSC add-on version 4.0.0 or higher, especially if you use a Linux OS:

1. Increase the Splunk Web upload limit to at least 1 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza:

   [settings]
   max_upload_size = 1024
   

2. To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
3. On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
4. Click Choose File and select the Python for Scientific Computing add-on file.
5. Click Upload to begin the installation.

On some Windows installations, installing PSC through the Splunk Manage Apps user interface results in an error. This error is usually benign and can be ignored. In some cases it is necessary to manually unpack the package in the apps directory to get past the error.

Install the Splunk Machine Learning Toolkit app

1. In Splunk Web, click on the gear icon next to Apps in the left navigation bar.
2. On the Apps page, click Install app from file.
3. Click Choose File, navigate to and select the package file for the MLTK app, then click Open.
4. Click Upload.

Install an app or add-on from the command line

At the command line, enter the following content, depending on your operating system.

Unix/Linux:

./splunk install app <path/packagename>

Windows:

splunk install app <path\packagename>

Alternatively, unpack/unzip the file then copy the app directory to $SPLUNK_HOME/etc/apps on Unix based systems or %SPLUNK_HOME%\etc\apps on Windows systems.

Splunk Enterprise distributed deployments

Use the following tables to determine where and how to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in a distributed deployment of Splunk Enterprise. Depending on your environment, you may need to install the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on in multiple places.

Where to install Splunk Machine Learning Toolkit and Python for Scientific Computing add-on

This table provides a reference for installing the Splunk Machine Learning Toolkit (MLTK) and Python for Scientific Computing add-on (PSC) to a distributed deployment of Splunk Enterprise.

Splunk instance type	Supported	MLTK required	PSC required	Actions required / Comments
Search Heads	Yes	Yes	Yes	Install MLTK and the PSC add-on to all search heads where the Machine Learning Toolkit is used. Search heads must be running Splunk Enterprise 6.6 or greater.
Indexers	No	No	No	Do not install on Indexers.
Heavy Forwarders	No	No	No	These apps do not contain a data collection component.
Universal Forwarders	No	No	No	These apps do not contain a data collection component.
Light Forwarders	No	No	No	These apps do not contain a data collection component.

Distributed deployment feature compatibility

This table describes the compatibility of the Splunk Machine Learning Toolkit and Python for Scientific Computing add-on with Splunk distributed deployment features.

Distributed deployment feature	Supported	Actions required
Search Head Clusters	Yes	Search heads must be running Splunk Enterprise version 6.6.x or higher.
Indexer Clusters	No	Do not install on Indexer Clusters.

Machine Learning Toolkit files

You can view the source code for the Machine Learning Toolkit app in Unix and Windows environments:

• For Unix-based systems, see $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit.
  
• For Windows systems, see %SPLUNK_HOME%\etc\apps\Splunk_ML_Toolkit.

The Machine Learning Toolkit is not open source and MLTK source code is provided as an example only, and for educational purposes.

Refer to the following table for sub-directory names and descriptions:

Bundle replication

Permanent model files, sometimes referred to as learned models or encoded lookups, are saved on disk. These files follow Splunk knowledge object rules, including permissions and bundle replication. Bundle replication is the process by which knowledge objects on the search head are distributed to the indexers.

The Machine Learning Toolkit includes a number of example model files that support the Showcase page. These examples are powered by .csv lookup files. To prevent performance issues, these .csv lookup files are not included in the MLTK bundle replication process.