All Apps and Add-ons

Relationship between Experiments and Models in MLTK

jpawloski
Path Finder

So I've been using the Cluster Numeric Events Experiment in Splunk and have saved a version of the model using the save button on the upper right. When I head out to the experiments page, I see a Model Name of 'exp' with a large string of alphanumeric characters that follow. When I attempt to apply this model in searches, Splunk tells me it doesn't exist. I also have this model running nightly training.

With previous iterations of this model, I've used the Open in Search option available on the experiment page and have manually created models using the resulting search, replacing '_exp_draft' with something more descriptive. The alphanumeric string values were left intact. Now I can use this model but how does the nightly training on the _exp model affect this model? Also, if I wanted to apply a partial fit, how would I go about doing that, since I don't see a way to tell the experiment to utilize it within it's training schedule.

0 Karma

sslepian_splunk
Splunk Employee
Splunk Employee
  1. I'm not sure why you're unable to apply the _exp... model - I would guess that there's Splunk permissions issue. Are you trying to apply it from another user or app? Experiment models are scoped to the user/app that created them.
  2. The _exp... prefix tells you that this model is controlled by the Experiment - any alerts created from the Experiment will use this model, scheduled training will overwrite this model, etc.
  3. If you'd like to use this model outside an Experiment, the recommended approach is using the "Publish" function, which will clone the Experiment's models to a location of your choice (and allows you to specify a different name). Note that this is a one-time action - it'll export the current state of your model, but if your model changes you would need to Publish again.
  4. Experiments don't support partial fit at this time - you would need to use the "fit" command on the search page to do that.
0 Karma

jpawloski
Path Finder

Answer to question 1: I'm building the model through the MLTK but attempting to use it in a different app. so that might explain that. Now I'm able to use the renamed version of the model I create manually after I set it to Global on the Models page but it sounds like training will not be applied to this renamed model. Is that correct?

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...