Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'apply' command: Failed to load model "smb_pdfmodel": Model does not exist.

BenzSann
Splunk Employee
Splunk Employee
‎08-26-2020 06:29 AM

I tried to enable some use cases from Splunk ESCU and then I copied SPL command and run searching to test.  It seems that some use cases show error due to MLTK.  

Any idea how to solve this?     I use Splunk Core 8.0.4 with ES 6.2.0

0 Karma
Reply

Pcktech
Explorer
‎11-11-2020 01:57 PM

Not sure if you still have this question, but I had the same one and don't like unanswered forum questions (never know who is in need of an answer)...

Go to Search, Reports, & Alerts, and find "ESCU - Baseline of SMB Traffic - MLTK" (thanks to https://docs.splunksecurityessentials.com/content-detail/smb_traffic_spike_-_mltk/ for this thread to pull). Enable this saved search, and schedule it hourly (or change its time window from -70/-10min to whatever you like).

If you run it manually, be aware that it will save smb_pdfmodel under your user context. So, if you want to test the Correlation Rule before the next scheduled run time: run the saved search "ESCU - Baseline of SMB Traffic - MLTK" and then go to Lookups > Lookup Tables. Look for "smb_pdfmodel" under all Apps and Owners. Click Change Permissions and set it to Global with desired permissions (E.g. everyone read). This should move the smb_pdfmodel to the DA-ESS-ContentUpdate app context.

Now the Correlation Rule "SMB Traffic Spike - MLTK" will run successfully.

 

FYI: You can also find the file at /opt/splunk/etc/apps/DA-ESS-ContentUpdate/lookups/__mlspl_smb_pdfmodel.mlmodel

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...