I tried to enable some use cases from Splunk ESCU and then I copied SPL command and run searching to test. It seems that some use cases show error due to MLTK.
Any idea how to solve this? I use Splunk Core 8.0.4 with ES 6.2.0
Not sure if you still have this question, but I had the same one and don't like unanswered forum questions (never know who is in need of an answer)...
Go to Search, Reports, & Alerts, and find "ESCU - Baseline of SMB Traffic - MLTK" (thanks to https://docs.splunksecurityessentials.com/content-detail/smb_traffic_spike_-_mltk/ for this thread to pull). Enable this saved search, and schedule it hourly (or change its time window from -70/-10min to whatever you like).
If you run it manually, be aware that it will save smb_pdfmodel under your user context. So, if you want to test the Correlation Rule before the next scheduled run time: run the saved search "ESCU - Baseline of SMB Traffic - MLTK" and then go to Lookups > Lookup Tables. Look for "smb_pdfmodel" under all Apps and Owners. Click Change Permissions and set it to Global with desired permissions (E.g. everyone read). This should move the smb_pdfmodel to the DA-ESS-ContentUpdate app context.
Now the Correlation Rule "SMB Traffic Spike - MLTK" will run successfully.
FYI: You can also find the file at /opt/splunk/etc/apps/DA-ESS-ContentUpdate/lookups/__mlspl_smb_pdfmodel.mlmodel