Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem to use ML toolkit "apply" command in ES correlation search

sonny_monti
Path Finder
‎06-04-2019 05:50 AM

I want to use a ML toolkit trained model in Enterprise security.

To do this I want to use the "apply" command in a correlation search, which should use the trained model.

THe model is shared globally, the "apply" command is also shared globally.

When I save the new correlation search I get an error that says that the "apply" command was not found.

Any Idea why this happens?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sonny_monti
Path Finder
‎06-04-2019 06:41 AM

I drilled down in splunk answers and i found This anwer from muebel.
https://answers.splunk.com/answers/509868/commands-not-usable-from-enterprise-security.html
The answer from muebel resolved my problem.
ES has a modular input to control what is allowed in the app context. Just add the ML toolkit in the allowed imports.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-04-2019 08:15 AM

ES, on versions prior to 5.3, used a feature called "app imports". You need to add the app's name (as it appears on disk in etc/apps) to the app imports regex - documentation is here:
https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps#Import_add-ons_with_a_differ...

This is also documented with Enterprise Security Content Updates:
https://docs.splunk.com/Documentation/ESSOC/1.0.38/user/ConfigureMLTKforusewithES

Reply
Solved! Jump to solution
Solution

sonny_monti
Path Finder
‎06-04-2019 06:41 AM

I drilled down in splunk answers and i found This anwer from muebel.
https://answers.splunk.com/answers/509868/commands-not-usable-from-enterprise-security.html
The answer from muebel resolved my problem.
ES has a modular input to control what is allowed in the app context. Just add the ML toolkit in the allowed imports.

0 Karma
Reply
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...