Re: Error in 'apply' command: Failed to load model...

BenzSann · ‎08-26-2020

I tried to enable some use cases from Splunk ESCU and then I copied SPL command and run searching to test. It seems that some use cases show error due to MLTK.

Any idea how to solve this? I use Splunk Core 8.0.4 with ES 6.2.0

Pcktech · ‎11-11-2020

Not sure if you still have this question, but I had the same one and don't like unanswered forum questions (never know who is in need of an answer)...

Go to Search, Reports, & Alerts, and find "ESCU - Baseline of SMB Traffic - MLTK" (thanks to https://docs.splunksecurityessentials.com/content-detail/smb_traffic_spike_-_mltk/ for this thread to pull). Enable this saved search, and schedule it hourly (or change its time window from -70/-10min to whatever you like).

If you run it manually, be aware that it will save smb_pdfmodel under your user context. So, if you want to test the Correlation Rule before the next scheduled run time: run the saved search "ESCU - Baseline of SMB Traffic - MLTK" and then go to Lookups > Lookup Tables. Look for "smb_pdfmodel" under all Apps and Owners. Click Change Permissions and set it to Global with desired permissions (E.g. everyone read). This should move the smb_pdfmodel to the DA-ESS-ContentUpdate app context.

Now the Correlation Rule "SMB Traffic Spike - MLTK" will run successfully.

FYI: You can also find the file at /opt/splunk/etc/apps/DA-ESS-ContentUpdate/lookups/__mlspl_smb_pdfmodel.mlmodel

Error in 'apply' command: Failed to load model "smb_pdfmodel": Model does not exist.

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!