Splunk Tech Talks
Deep-dives for technical practitioners.

Anomaly Detection with Splunk Machine Learning

Splunk Employee
Splunk Employee

View our Splunk Tech Talk, Anomaly Detection withe Splunk Machine Learning  to learn how to leverage the Smart Outlier Detection Assistant to experiment and build a model to detect any deviations from past behaviors or unusual changes. Whether you’re responsible for managing IT or security data, we’ll show you how easy it is to utilize machine learning to spot anomalies, gain new insights, and make more informed decisions.

Tune in to:

  • Learn how to a build model with your Splunk data using machine learning
  • Understand how Splunk can help detect anomalies in your IT and security data
  • See a demo of the Smart Outlier Assistant in the Splunk Machine Learning Toolkit
  • Get access to the latest resources on Machine Learning in Splunk

Check out our Machine Learning Toolkit conversations in Splunk Answers community for more!

Splunk Employee
Splunk Employee

Hey everyone! We had some great questions during this Tech Talk in June. 

Recapping for all!

Q: Is this App available with every Splunk Enterprise Account/License?
A: Yes, you can download it here: https://splunkbase.splunk.com/app/2890/
Q: Can you pls talk more about special days in preprocessing ? do you just exclude these data points in fitting the model ?
A: Correct, these days are marked using the lookup file or another pre-processing step and are excluded.
Q: Is the Smart Outlier Detection tool an additional cost?
A:  No it is not. The Smart Outlier Detection Assistant (and all of the other Smart Assistants) are included in the free MLTK app.
Q: What version of MLTK you are showing ? 5.0 ?
A: This is MLTK 5.2
Q: What version of Splunk are you using?
A: Splunk Version is 8.0.3
Q: This demonstrated anomalies based on count. How can I bring in other features? For example, what if I wanted to look at count as well as hosts associated with the login?
A: Add that data as another column in the data eg: host or host_name when you generate your stats command. You can then use that as part of the split-by option in the anomaly detection workflow.
Q. What is the MLTK app?
A: It is the Machine Learning Toolkit app, which is what is being shown in these demos. You can learn more here: https://www.splunk.com/en_us/software/splunk-enterprise/machine-learning.html and download it here: https://splunkbase.splunk.com/app/2890/
Q: Can you explain more in the "distance" column ?
A: This refers to the distance between the training / test split. the algorithm automatically splits the data up and it describes the distance between the distribution between the training data & the test data.
Q: How does MLTK handle models which might cover data that changes based on the day of the week. For example if I was looking for anomalous web traffic knowing it's less on Sat/Sun (and obviously holidays)
A: If you add these as labels/columns in your data set and use them in the split-by it will generate separate baselines for weekends v. weekdays.