Splunk® Machine Learning Toolkit

User Guide

Creating, sharing, and deleting models in the Splunk Machine Learning Toolkit

The Splunk Machine Learning Toolkit (MLTK) provides custom search commands for machine learning. These commands use model files to store machine learning algorithm results on a dataset. This model can then be applied to other datasets.

About models

Models are Splunk platform knowledge objects with configurable sharing and permissions. Models store in the same way as lookups. To learn more about Lookups, see About Lookups in the Knowledge Manager Manual.

Under the Models tab of the MLTK navigation bar, access any models created using the fit command on the Search tab. By default, user-level (private) models are stored in the following directory: $SPLUNK_HOME/etc/users/<user>/Splunk_ML_Toolkit/lookups

Model size is impacted by the data used and the chosen algorithm. Maximum model size is configurable and can be viewed from within the MLTK app. From the MLTK navigation bar select Settings and the name of any of the listed algorithms. See the field for max_model_size_mb.

The following image shows the Settings for the DensityFunction algorithm: This image shows the details for the DensityFunction algorithm. The Settings tab and the field for max model size are highlighted.

To learn more about how to manage model size and other MLTK settings, see Configure Algorithm Performance Costs.

Creating and using models

By default, MLTK models created with the fit command are created in the namespace of the user who ran the search. Models are created using the fit command and applied to datasets using the apply command. For more details, see:

Sharing models from other Splunk apps

MLTK can access pre-trained models provided by other Splunk apps, provided the following settings are in place:

  1. The pre-trained model has its sharing level set to global using standard knowledge object access settings.
  2. The pre-trained model does not have the same name as a model that already exists in MLTK.

Deleting models

You can also delete models through the Models page. Follow these steps to delete a model:

  1. Click Models on the MLTK navigation bar.
  2. On the Models page, select the model that needs deletion.
  3. Click Delete in the Actions column.
  4. In the Delete Model window, click Delete again to verify that you want to delete the model.
Last modified on 13 March, 2024
Cluster Numeric Events Experiment Assistant workflow   Model permissions in the Splunk Machine Learning Toolkit

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 5.3.3, 5.4.0, 5.4.1, 5.4.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters