Splunk is a powerful platform for understanding your data. This session will provide an overview of machine learning capabilities available across Splunk’s portfolio. We'll dive deeply into Splunk's Machine Learning Toolkit App, which extends Splunk Enterprise with a rich suite of advanced analytics, machine learning algorithms, and rich visualizations. It also provides customers with a guided model-building and operationalization environment. The demonstration will include the guided model-building UI for tasks such as predictive analytics, outlier detection, event clustering, and anomaly detection. We’ll also review typical use cases and real-world customers who are using the Toolkit to drive business results.
What’s needed : A solution that can monitor conditions of interest and analyze behaviors of interest across all business processes, and deliver actionable insights to business decision-makers
Splunk handles the full continuum: past, present & future.
DATA IS STILL IN MOTION, still in a BUSINESS PROCESS.
Enrich real-time MACHINE DATA with structured HISTORICAL DATA
Make decisions IN REAL TIME using ALL THE DATA
Q: What is a statistical model?A: A model is a little copy of the world you can hold in your hands.
Formal: A model is a parametrized relationship between variables.
FITTING a model sets the parameters using feature variables & observed values
APPLYING a model fills in predicted values using feature variables
Image source: http://phdp.github.io/posts/2013-07-05-dtl.html
Q: What is a statistical model?A: A model is a little copy of the world you can hold in your hands.
Formal: A model is a parametrized relationship between variables.
FITTING a model sets the parameters using feature variables & observed values
APPLYING a model fills in predicted values using feature variables
Image source: http://phdp.github.io/posts/2013-07-05-dtl.html
Example:
The ML process is itself a generalization of the different use cases. ML spans domains!
Get all the relevant data to the problem; Explore the data
Select and Fit an algorithm on the data, generating a model
Apply & Validate models until predictions solve the problem
Surface the model to X Ops, who consume the model to solve the problem
The arrow means OPERATIONALIZE. Feed back incident data & other high-level analysis back into the ML Process. Keep exploring that data & fitting better models to align with reality. Loop Step #5 (Act) back to Step #1 (Data).
So, let’s look at a simple visual to discuss how it works?
In four simple steps, customers can achieve data driven service insights.
They Get the data in. (all the data…)
They quickly define services, entities, and KPIs
They monitor and troubleshoot
They analyze and detect
Through these steps, the customers is able to realize the value of Data Defined, Data Driven Service Insights.
Machine learning is bringing data analysis into a new era, allowing companies to use predictive analytics that continually “learn” from historical data. These analytics can optimize IT, security and business operations—helping to detect incidents, reduce resolution times, and predict and prevent undesired outcomes.
The Splunk platform makes it easy for you to harness the power of machine learning by offering a rich set of machine learning commands and a guided workbench to create custom models for any use case.
Assistants: Assistants let you choose the algorithm and then guide you through model creation, testing and deployment for common objectives like forecasting values, predicting numeric or categorical fields, and detecting numeric or categorical outliers.
Showcases: Walk through interactive examples of model creation organized by common use cases for IT, security, IoT and business analytics. Examples include predicting disk failures, finding outliers in response time, predicting VPN usage and forecasting internet traffic.
SPL ML Commands: The Splunk platform offers over 20 machine learning commands that can be applied directly to your data for detection, alerting or analysis. Commands such as outlier, predict, cluster and correlate utilize fixed algorithms, while others such asanomalydetection allow you to choose between several algorithms to best fit your needs.
Want more flexibility? With the Machine Learning Toolkit, you get access to additional commands and open source algorithms to create custom models for any use case.
Python for Scientific Computing Library: Use machine learning SPL commands like fit, apply and allow to directly build, test and operationalize models using open source Python algorithms from the Splunk Python for Scientific Computing Add-on.
MS: This slide needs some work and structure around all the types of algos we’re supporting – pre-processing, feature extraction, classification, regression, clustering, time-series forecasting, outlier detection, text analytics, etc.
Getting data into Splunk is designed to be as flexible and easy as possible. Because the indexing engine is so flexible and doesn’t generally require configuration for most machine data generated by all of the devices, control systems, sensors, SCADA, networks, applications and end users connected by industrial networks. There are many options:
Splunk can directly monitor hundreds or thousands of local files, index them and detect changes. Additionally, many customers use our out-of-the-box scripts and tools to generate data – common examples include performance polling scripts on *nix hosts, API and more.
You can onboard data directly from any application or device– opening up new types of machine data to the benefits of Splunk analysis. The Event Collector makes it simple and efficient to collect this data, scaling to millions of events per second, using a developer-friendly, standard HTTP/JSON API and logging libraries
The HTTP Event Collector (EC) uses a standard API and high-volume Splunk endpoint to allow events to be directly sent/collected at extreme velocity. The data volumes supported by Splunk are ideal for IoT and industrial data.
There are many free add-ons and Apps for Splunk software that simplify the connection and collection of data from both industrial systems and the Internet of Things. These include:
Protocol Data Inputs: Recieve data via a number of different data protocols such as TCP , TCP(s) ,HTTP(s) PUT/POST/File Upload , UDP , Websockets , SockJS.
Rest API Modular Input: Poll local and remote REST APIs and index the responses.
Amazon Kinesis Modular Input: Index data from Amazon Kinesis, a fully managed service for real-time streaming data.
Apache Kafka Modular Input: Index messages from Apache Kafka messaging brokers, including clusters managed by Zookeeper.
DB Connect 2: Integrate structured data sources with your Splunk real-time machine data collection.
MQTT Modular Input: Index messages from MQTT, a machine-to-machine connectivity protocol, by subscribing Splunk software to MQTT Broker Topics.
AMQP Modular Input: Index data from message queues provided by AMQP brokers.
JMS Modular Input: Poll and index message queues and topics from messaging queues and topics, including MQTT messages, provided by message providers, including TibcoEMS, Weblogic JMS and ActiveMQ.
COAP Modular Input: Index messages from a COAP (Constrained Application Protocol) Server.
SNMP Modular Input: Collect data by polling SNMP attributes and catching SNMP traps from datacenter infrastructure devices providing cooling and power distribution.
Splunk App for Stream: Capture, filter and index real-time streaming wire data and network events.
Splunk isn’t the only technology that can benefit from collecting machine data, so let Splunk help send the data to those systems that need it. For those systems that want a direct tap into the raw data, Splunk can forward all or a subset of data in real time via TCP as raw text or RFC-compliant syslog. This can be done on the forwarder or centrally via the indexer without incrementing your daily indexing volume. Separately, Splunk can schedule sophisticated correlation searches and configure them to open tickets or insert events into SIEMs or operation event consoles. This allows you to summarize, mash-up and transform the data with the full power of the search language and import data into these other systems in a controlled fashion, even if they don’t natively support all the data types Splunk does.
Alerts are triggered when certain conditions are met by the results of the search upon which it is based. Alerts can be based on both historical and real-time searches.
When an alert is triggered, it performs an alert action. This action can be the sending of the alert information to a designated set of email addresses, or the posting of the alert information to an RSS feed. Alerts can also be set up to run a custom script when they are triggered.
You can base these alerts on a wide range of threshold and trend-based scenarios.
Custom Alert Actions provide the ability to use Splunk Alerts to trigger custom actions or pre-packaged integrations with 3rd party products such as work order management systems, trouble ticketing or support systems. Splunk and partners provide a growing set of integrations including, ServiceNow, xMatters, Webhooks and more. With custom alert actions you can:
Send message to IM clients (HipChat, Slack)
Send SMS
Automate the creation of tickets (ServiceNow, Jira)
Take action or send events to firewalls, devices, management consoles
Trigger device-level actions (change lights, sounds an alarm, send action to device)
Trigger any organization-specific action (restart application, integrate with homegrown service, and more)
This way you can set alerts on data coming from ICS, SCADA, sensor etc. data and alert operators or trigger actions in third party applications, enabling you to sense anomalous condition in the data and respond to these conditions.
Time for ML demo!
Get the ML App: http://tiny.cc/splunkmlapp
Want more? Take Splunk’s Analytics & Data Science course!
Course prework: http://bit.ly/splunkanalytics
Our Early Adopter customers have had much success creating and operationalizing ML models. Some examples include:
Zillow makes hundreds of website updates daily, including content from several partners nationally. These updates can often cause issues in the site. Zillow built an ML model that predicts which of these changes is likely to result in an issue to allow the team to fix them proactively. Once a potential or actual issue has been identified, the model can also provide guidance on likely root cause and resolution.
TELUS has thousands of mobile phone towers across Canada; when one of these goes offline it can cause significant disruption for their customers. TELUS built a model to predict which towers are likely to fail so that they can proactively fix issues before they occur.
Time for ML demo!
Get the ML App: http://tiny.cc/splunkmlapp
Want more? Take Splunk’s Analytics & Data Science course!
Course prework: http://bit.ly/splunkanalytics
And of course, your biggest education opportunity this year is .conf2017 which will be held right back here in Washington, DC on September 25 – 28. I know you have heard a lot about .conf2017 today but don’t forget that by attending SplunkLive! today we are extending you a discount of over $450. You will be able to register with a unique link that will be sent in the post SplunkLive! emails to go out next week.
Time for ML demo!
Get the ML App: http://tiny.cc/splunkmlapp
Want more? Take Splunk’s Analytics & Data Science course!
Course prework: http://bit.ly/splunkanalytics