All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you feed data from an existing Splunk data model into the Splunk Machine Learning Toolkit?

collinlorb
Engager
‎11-01-2018 10:49 AM

With the ML tool kit, I see that you can | inputlookup data from a .CSV file. But what if you want to pull from tables that have data changing continuously?

We have data models in Splunk with the data I am looking for, but I can't find the correct method, or syntax, for bringing it into the ML tool kit.

Any insight would be greatly appreciated.

Thanks,

0 Karma
Reply

aoliner_splunk
Splunk Employee
Splunk Employee
‎11-01-2018 11:03 AM

Any data that can be retrieved by a Splunk search can be used with the ML Toolkit, including data from indexes or third-party data sources like Hadoop (with Splunk Hadoop Connect). You simply append that search with the applicable | fit ... or | apply ...

0 Karma
Reply

collinlorb
Engager
‎11-01-2018 12:38 PM

In the MLTK, how do I search for data that is located in a data model, inside of Splunk Datasets?

0 Karma
Reply

aoliner_splunk
Splunk Employee
Splunk Employee
‎11-01-2018 01:26 PM

The same way you search for data in a Data Model anywhere else in Splunk. For example:
| datamodel network_traffic search | search tag=destination

0 Karma
Reply

grana_splunk
Splunk Employee
Splunk Employee
‎11-01-2018 11:01 AM

Hey Collin,

If I understand your question correctly, you are running search through inputlookup command on searchbar.

| inputlookup in showcase is just for example purpose for new users. Replace it with actual search using index or data model. Once you are done with creating models, schedule a training for regularly updating model on new incoming data.

Reply

collinlorb
Engager
‎11-01-2018 12:39 PM

I was using | inputlookup to bring in .csv files for experimentation. How do I search for data that is already in the data model inside of Splunk Datasets?

0 Karma
Reply

grana_splunk
Splunk Employee
Splunk Employee
‎11-01-2018 01:22 PM

In the assistant , you can see the raw data preview if you scroll down or you can do it in search tab and bring that SPL to assistant.

0 Karma
Reply

collinlorb
Engager
‎11-02-2018 04:37 AM

Yes this what I needed to do. Essentially | From

0 Karma
Reply

grana_splunk
Splunk Employee
Splunk Employee
‎11-02-2018 10:11 AM

if it has solved your query, please mark it as accepted answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top