All Apps and Add-ons

DGA App for Splunk: Trouble setting up the Create Machine Learning Models dashboard

stehannan1
Explorer

I am installing the DGA App for Splunk and all its other necessary packages on a Splunk 6.5.5 environment on a freshly upgraded to 3.1.1 Machine Learning Toolkit, but am getting stuck on setup process post installation.

From the app I navigate to the dashboard '0. Setup' it gives a simple set of instructions to follow, but I am getting stuck on Step 8 which wants me to go to the third dashboard (Create Machine Learning Models). According to the steps I should be able to create machine learning models on that dashboard. However once the panels load I see results in all but the bottom panel "Cache results of model generation for next iteration". The panel has a message indicating it is waiting for input, but the page has nowhere for me to input anything. By looking at the search behind the panel I can see it looks like there is an open quote, but I am not sure if I am overlooking something specific to machine learning searches/commands.

Below is the search for the panel which is waiting for input:

| inputlookup dga_algos 
| map search="| inputlookup dga_domains_features 
| search partition_number=1 
| apply \"$algo$\" 
| \`confusionmatrix(class,\"predicted(class)\")\` 
| eval Algorithm=\"$algo$\"" 
| outputlookup dga_model_results

Is there something major I am overlooking on the steps? Or has anyone else had any issues like this?

Full setup instructions from dashboard below:

Setup Dashboard

sabaKhadivi
Path Finder

I installed and set up DGA base on its instruction, but I don't know how to use it's data in my own network or how it can work on my own network data?

0 Karma

pdrieger_splunk
Splunk Employee
Splunk Employee
0 Karma

kimikoyan
Explorer

I have the same question... Have you worked it out now ?

0 Karma

pdrieger_splunk
Splunk Employee
Splunk Employee

Thanks for sharing your findings stehannan1! This dashboard panel was a little "leftover" on that version - happy to get this into my backlog for the next release. The lower case naming should also be fixed - thanks again for sharing!

0 Karma

stehannan1
Explorer

I was doing some further troubleshooting and found that the confusionmatrix macro which was being referenced in the search was not available for the DGA app, but only to Machine Learning. Once I made it available to all apps I can now do the search from search within the DGA app.

But when I try and use it on the third dashboard page I still get a message saying waiting for input on the last panel. Which is odd to me since I can enter the search behind the panel and get results.

I also notice that the search has the first quotation mark highlighted in red as if there was some formatting issue.

0 Karma

stehannan1
Explorer

Okay, so it looks like everything besides that one panel is working once I made that macro available to all apps. But, I noticed that the Input "Machine Learning Algorithm" within static options had the algorithm SupportVectorMachine had an incorrect value of "dga_SVM" when it should be all lower-case "dga_svm". That change allowed me to see all 4 algorithms operationalized on that dashboard.

I am currently waiting for the other models to build which say it should take 2-3 hours.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...