Exclude select data columns from Splunk algorithms

lancair · ‎07-08-2020

Question : I am trying to determine if it's possible to exclude selected columns of data from algorithm processing when running a search analysis in the search and reporting window.

This would equate to using a python pandas dataframe and selecting the features you desire from the dataset to be processed or considered in the algorithm.

Example

index=firewall action="allowed" (host="myhost*")
transport="tcp"

-- Assumption: my data has 10 columns, but I only want to use 6 of them in the algorithm.

-- Problem: Filter the columns to be used when executing the 1CSVM Algorithm. By default I believe Splunk is assuming I want to analyze all columns as features.

`comment("Fit Using 1CSVM Algorithm")`
| fit OneClassSVM * kernel="rbf" gamma=1 nu=.0001 shrinking=False | outputlookup compositeResults.csv append=true

richgalloway · ‎07-08-2020

Perhaps the fields command will help.

index=firewall action="allowed" (host="myhost*") transport="tcp"
`comment("Exclude the fields we don't want considered by the algorithm")`
| fields - foo bar
`comment("Fit Using 1CSVM Algorithm")`
| fit OneClassSVM * kernel="rbf" gamma=1 nu=.0001 shrinking=False | outputlookup compositeResults.csv append=true

---
If this reply helps you, Karma would be appreciated.

Exclude select data columns from Splunk algorithms

development

other

search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!