Splunk® Machine Learning Toolkit

User Guide

Smart Assistants overview

Smart Assistants enable advanced query building and machine learning outcomes for users with little to no Search Processing Language (SPL) knowledge. Built on the backbone of the Experiment Management Framework (EMF), Smart Assistants offer a guided workflow through which you can create new Experiments. Smart Assistants let you quickly move from fitting a model on historic data to applying a model on real-time data and taking action.

There are four Smart Assistants available:

  • Smart Clustering Assistant
  • Smart Forecasting Assistant
  • Smart Outlier Detection Assistant
  • Smart Prediction Assistant

Smart Assistant workflow

Select one of the available Smart Assistants to create a new Experiment and then move through the stages of Define, Learn, Review, and Operationalize. Steps in each stage let you load data, build your model, and put that model into production.

Each stage offers data preview and visualization panels. As with Experiment Assistants, you have access to modeling history, a method to view the underlying SPL, and the option to add notes as you work.

This image shows the Smart Forecasting Assistant mid-process. The Define, Learn, and Review stages are all available. The Operationalize stage is greyed out as the Review stage is not yet completed. The image shows a visualization view into the data loaded into the Smart Assistant.

Saved Experiments

Once you save an Experiment built with a Smart Assistant, a new knowledge object is created in the Splunk platform. This knowledge object keeps track of all the settings for the Experiment pipeline, as well as affiliated alerts and scheduled trainings.

Save your work prior to scheduling a training job for the Experiment, managing alerts for an Experiment, or deploying an Experiment.

The saved knowledge object enables you to: Organize your Experiment around solving a business problem with machine learning. Keep all of your modeling history and experimentation in one place.

Experiments are knowledge objects that are bound to the user who creates them. Experiment-built models cannot be shared in the GUI. Use the publish or export options to share models generated in an Experiment with another app or user.

Users with admin permissions can access stored MLTK model data in the following .conf file: SPLUNK_HOME/etc/users/username/Splunk_ML_Toolkit/local/experiments.conf. To learn more about .conf files, see About configurations files in the Splunk Enterprise Admin Manual.

Operationalize models

You can operationalize your persisted models to other SPL workflows in the Splunk platform through the publish functionality, as well as create alerts for any Experiments saved within the Smart Assistant framework. When creating alerts, select from standard Trigger Conditions, or from Machine Learning Conditions that are specific to the Smart Assistant.

The following table lists the Machine Learning trigger conditions as available by Smart Assistant:

Smart Assistant Machine Learning Trigger Conditions
Smart Clustering Assistant Triggers based on a value of cluster_distance during a scheduled search.
Smart Forecasting Assistant Triggers based on a value of predicted field during a scheduled search.
Smart Outlier Detection Assistant Triggers based a number of outliers during a scheduled search.
Smart Prediction Assistant Triggers based on the numeric value of a predicted field during a scheduled search.

Triggers based on the categorical value of a predicted field during a scheduled search.
Triggers based on whether the predicted value matches the actual value during a scheduled search.

Available Smart Assistants

The following Smart Assistants are available in MLTK:

Smart Clustering Assistant

The Smart Clustering Assistant offers an updated look and feel as well as well as the option to bring in data from different sources to build your model.

The Smart Clustering Assistant uses the K-means algorithm to partition events.

You can gain familiarity with this new Smart Assistant through the MLTK Showcase, accessed under its own tab. The Showcase examples for Smart Outlier Clustering include:

  • Cluster Events in Housing Data
  • Cluster Events in Mortgage Data

Smart Forecasting Assistant

The Smart Forecasting Assistant offers an updated look and feel as well as well as the option to bring in data from different sources to build your model.

The Smart Forecasting Assistant uses the StateSpaceForecast algorithm to forecast future numeric time-series data. Version 4.4.0 and above of the Smart Forecasting Assistant offers both univariate and multivariate forecasting options.

You can gain familiarity with this new Smart Assistant through the MLTK Showcase, accessed under its own tab. The Showcase examples for Smart Forecasting include:

  • Forecast the Number of Calls to a Call Center

  • Forecast App Logons with Special Days

  • Forecast App Expenses
  • Forecast App Expenses from Multiple Variables

Smart Outlier Detection Assistant

The Smart Outlier Detection Assistant offers an updated look and feel as well as well as the option to bring in data from different sources to build your model.

The Smart Outlier Detection Assistant uses the DensityFunction algorithm to leverage a density algorithm and segment data in advance of your anomaly search.

You can gain familiarity with this new Smart Assistant through the MLTK Showcase, accessed under its own tab. The Showcase examples for Smart Outlier Detection include:

  • Find Anomalies in Hard Drive Metrics
  • Find Anomalies in Supermarket Purchases

Smart Prediction Assistant

The Smart Prediction Assistant offers an updated look and feel as well as well as the option to bring in data from different sources to build your model.

The Smart Prediction Assistant uses the AutoPrediction algorithm to determine the data type as categorical or numeric and carry out the prediction.

You can gain familiarity with this new Smart Assistant through the MLTK Showcase, accessed under its own tab. The Showcase examples for Smart Prediction include:

  • Predict Disk Utilization
  • Predict the Presence of Vulnerabilities
Last modified on 16 September, 2024
Splunk Machine Learning Toolkit Showcase   Experiment Assistants overview

This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 5.3.3, 5.4.0, 5.4.1, 5.4.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters