topic Re: Splunk Machine Learning Toolkit: fit/apply Numeric Outlier Detection? in All Apps and Add-ons

Splunk Machine Learning Toolkit: fit/apply Numeric Outlier Detection?

lradics — Tue, 11 Jul 2017 14:24:44 GMT

In using the Machine Learning Toolkit, I've noticed that some assistants (such as Predict Numeric Fields) have an option to save the chosen specifications as a model, and/or train said saved model on a schedule - which, to the best of my knowledge, would then allow the model to grow increasingly intelligent based on the data flowing through it.

Is there an equivalent method for training the Detect Numeric Outliers assistant? So that when it finds outliers for a given time period, it's using data from past trainings in order to determine a suitable average and outlier threshold?

I don't know if it's relevant, but here's the SPL I'm using:

 index=xxx source=xxx reactionTime user=* | sort 0 _time | eval rxnTime=reactionTime/1000 | dedup ID | where rxnTime < 100 | where reactionTime != -1 | eventstats avg("rxnTime") as avg stdev("rxnTime") as stdev  | eval lowerBound=(avg-stdev*exact(1.2)), upperBound=(avg+stdev*exact(5)) | eval isOutlier=if('rxnTime' < lowerBound OR 'rxnTime' > upperBound, 1, 0) | search isOutlier=1 | table _time, "rxnTime", lowerBound, upperBound, isOutlier, avg, user

Thank you!

Re: Splunk Machine Learning Toolkit: fit/apply Numeric Outlier Detection?

cmerriman — Tue, 11 Jul 2017 15:39:18 GMT

the way to save a model and keep using it is to fit it into a saved model and apply it. to do that, you need to use an algorithm from the scikit you can get here: http://scikit-learn.org/stable/auto_examples/index.html

the algorithm for numerical/categorical outliers is OneClassSVM.
https://docs.splunk.com/Documentation/MLApp/2.2.0/User/Algorithms#Anomaly_Detectors

Re: Splunk Machine Learning Toolkit: fit/apply Numeric Outlier Detection?

lradics — Tue, 11 Jul 2017 16:28:56 GMT

Thank you - that's exactly what I was looking for!