Splunk Enterprise 6.5 New Features – Part III

In Part III of the Splunk Enterprise 6.5 New Features blog posts, we look at few new Splunk features that provide additional administrative and analytical functionality.

Indexer Clustering Enhancements

Splunk 6.5 improvements enable users to drive actions directly through the UI to re-sync buckets, rollover hot buckets, validating cluster bundles and decommission sites in a multi-site environment. Along with these better management capabilities for indexers, users now can rebalance the data within their indexer cluster environment for optimal utilization of available physical resources.

Splunk Machine Learning Toolkit

Along with the release of Splunk 6.5 came the release of the Machine Learning Toolkit. Splunk has long offered machine learning commands to help analyze machine data using fixed algorithms. However, Splunk can now help users create custom analytics based on an array of different algorithms. The Toolkit has two objectives: (1) extending Splunk’s own capabilities and (2) to make custom machine learning simple. The Toolkit Assistants lets user choose among 25 popular algorithms and guides them through data model creation, testing and deployment of common objectives such as forecasting, predicting fields and detecting outliers.

Let us take a closer look at one of the new Assistants included in the Toolkit. The Predict Number Fields Assistant walks the user through the process of building a model which will help predict the value of a numeric field.

After a search is run, the data will be previewed. The Assistant automatically presents mechanisms to evaluate the quality of the current model on the test data.

analytical functionality - Predict Number Fields Assistant

Users can review settings attempted previously, how they compare with the current data set and reload whichever settings worked best.

Predict Number Fields Assistant - Reload

When a user is satisfied with the settings, they can open the Search to view the SPL or set up an alert to trigger when the predicted value matches specific criteria.

Search to view the SPL

There are 6 Assistants in total:

(1) Predict Numeric Fields
(2) Predict Categorical Fields
(3) Detect Numeric Outliers
(4) Detect Categorical Outliers
(5) Forecast Time Series
(6) Cluster Numeric Events

These types of tools can help organization predict VPN usage, the presence of malware, forecasting the number of employee logins, etc. With the ability to better customize data models to analyze specific data sets, it will be interesting to see what new use cases organizations will be able to deliver with Splunk 6.5 and the new Machine Learning Toolkit.