MLTK deep dives overview
The Splunk Machine Learning Toolkit (MLTK) lets you create, validate, manage, and operationalize machine learning models through a guided user interface. If you're unsure where to get started with MLTK you can use this series of deep dives to get walk-throughs of implementing the machine learning (ML) search commands that ship with MLTK for specific ML goals.
You can follow each deep dive from start to finish and implement the same operational outcomes in your own Splunk platform environment. Each deep dive consists of some example data sources, sample SPL code, and instructions for implementing the analytic.
You might need to tune or modify these examples to work properly on your data. SPL knowledge is valuable when trying to implement these deep dives in your own environment.
What makes ML different from other analytics in Splunk products?
Most analytics in the Splunk platform revolve around hard-to-find types of searches, where you are trying to spot a particular event or set of events that make up something of interest. For example, looking for memory errors on a server, or looking for a user running a process that is known to be malicious.
These types of analytics can usually be implemented with a single SPL search, whereas with ML you almost always need to run two searches: one to train a model, using the fit
command, and one to apply a model, using the apply
command.
The fit
command is similar to the outputlookup
command, and the apply
is similar to the lookup
. The apply stage is usually analogous with the hard-too-find detection search, but the training of models can seem unusual if you are new to machine learning.
To learn more about how to use the fit
and apply
commands, see Using the fit and apply commands.
Available deep dives
The following deep dives are available:
- Deep dive: Using ML to detect user access anomalies
- Deep dive: Using ML to detect outliers in error message rates
- Deep dive: Using ML to detect outliers in server response time
- Deep dive: Using ML to detect network traffic anomalies
- Deep dive: Create a data ingest anomaly detection dashboard using ML-SPL commands
- Deep dive: Inference externally trained ONNX models with MLTK
If you encounter questions while working on these deep dives, see Troubleshooting the deep dives.
See also
See the following resources to learn more about the Splunk Machine Learning Toolkit:
- What is the MLTK process?
- Preparing your data for machine learning
- Smart Assistants overview
- Configure algorithm performance costs
See the following resources to learn about the dedicated ML training course, our .conf archives, and numerous blog posts on the subject of machine learning and MLTK:
- Splunk 8.0 for Analytics and Data Science
- How Israel's Ministry of Energy applies Machine Learning to protect their Critical Infrastructure and OT Operations
- Augment your Security Monitoring Use Cases with MLTK's Machine Learning
- Anomaly Detection, Sealed with a KISS
- Cyclical Statistical Forecasts and Anomalies - Part 1
- Cyclical Statistical Forecasts and Anomalies - Part 2
- Cyclical Statistical Forecasts and Anomalies - Part 3
- Cyclical Statistical Forecasts and Anomalies - Part 4
- Cyclical Statistical Forecasts and Anomalies - Part 5
- Building Machine Learning Models with DensityFunction
- Anomalies Are Like a Gallon of Neapolitan Ice Cream - Part 1
- Anomalies Are Like a Gallon of Neapolitan Ice Cream - Part 2
Upload and inference pre-trained ONNX models in MLTK | Deep dive: Using ML to identify user access anomalies |
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 5.4.1, 5.4.2
Feedback submitted, thanks!