MLTK deep dives overview
The Splunk Machine Learning Toolkit (MLTK) lets you create, validate, manage, and operationalize machine learning models through a guided user interface. If you're unsure where to get started with MLTK you can use this series of deep dives to get walk-throughs of implementing the machine learning (ML) search commands that ship with MLTK for specific ML goals.
You can follow each deep dive from start to finish and implement the same operational outcomes in your own Splunk platform environment. Each deep dive consists of some example data sources, sample SPL code, and instructions for implementing the analytic.
You might need to tun or modify these examples to work properly on your data. SPL knowledge is valuable when trying to implement these deep dives in your own environment.
What makes ML different from other analytics in Splunk products?
Most analytics in the Splunk platform revolve around hard-to-find types of searches, where you are trying to spot a particular event or set of events that make up something of interest. For example, looking for memory errors on a server, or looking for a user running a process that is known to be malicious.
These types of analytics can usually be implemented with a single SPL search, whereas with ML you almost always need to run two searches: one to train a model, using the
fit command, and one to apply a model, using the
fit command is similar to the
outputlookup command, and the
apply is similar to the
lookup. The apply stage is usually analogous with the hard-too-find detection search, but the training of models can seem unusual if you are new to machine learning.
To learn more about how to use the
apply commands, see Using the fit and apply commands.
Available deep dives
The following deep dives are available:
- Deep Dive: Using ML to detect user access anomalies
- Deep Dive: Using ML to detect outliers in error message rates
- Deep Dive: Using ML to detect outliers in server response time
- Deep Dive: Using ML to detect network traffic anomalies
- Deep Dive: Create a data ingest anomaly detection dashboard using ML-SPL commands
If you encounter questions while working on these deep dives, see Troubleshooting the deep dives.
See the following resources to learn more about the Splunk Machine Learning Toolkit:
- What is the MLTK process?
- Preparing your data for machine learning
- Smart Assistants overview
- Configure algorithm performance costs
See the following resources to learn about the dedicated ML training course, our .conf archives, and numerous blog posts on the subject of machine learning and MLTK:
- Splunk for Analytics and Data Science course
- How Israel's Ministry of Energy applies Machine Learning to protect their Critical Infrastructure and OT Operations
- Augment your Security Monitoring Use Cases with MLTK's Machine Learning
- Anomaly Detection, Sealed with a KISS
- Cyclical Statistical Forecasts and Anomalies - Part 1
- Cyclical Statistical Forecasts and Anomalies - Part 2
- Cyclical Statistical Forecasts and Anomalies - Part 3
- Cyclical Statistical Forecasts and Anomalies - Part 4
- Cyclical Statistical Forecasts and Anomalies - Part 5
- Anomalies Are Like a Gallon of Neapolitan Ice Cream - Part 1
- Anomalies Are Like a Gallon of Neapolitan Ice Cream - Part 2
- Building Machine Learning Models with DensityFunction
- ITSI and Sophisticated Machine Learning
Upload and inference pre-trained ONNX models in MLTK
Deep dive: Using ML to identify user access anomalies
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 4.5.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.3, 5.4.0
Feedback submitted, thanks!