DGA App for Splunk: Trouble setting up the Create ...

stehannan1 · ‎12-20-2017

I am installing the DGA App for Splunk and all its other necessary packages on a Splunk 6.5.5 environment on a freshly upgraded to 3.1.1 Machine Learning Toolkit, but am getting stuck on setup process post installation.

From the app I navigate to the dashboard '0. Setup' it gives a simple set of instructions to follow, but I am getting stuck on Step 8 which wants me to go to the third dashboard (Create Machine Learning Models). According to the steps I should be able to create machine learning models on that dashboard. However once the panels load I see results in all but the bottom panel "Cache results of model generation for next iteration". The panel has a message indicating it is waiting for input, but the page has nowhere for me to input anything. By looking at the search behind the panel I can see it looks like there is an open quote, but I am not sure if I am overlooking something specific to machine learning searches/commands.

Below is the search for the panel which is waiting for input:

| inputlookup dga_algos 
| map search="| inputlookup dga_domains_features 
| search partition_number=1 
| apply \"$algo$\" 
| \`confusionmatrix(class,\"predicted(class)\")\` 
| eval Algorithm=\"$algo$\"" 
| outputlookup dga_model_results

Is there something major I am overlooking on the steps? Or has anyone else had any issues like this?

Full setup instructions from dashboard below:

sabaKhadivi · ‎04-28-2019

I installed and set up DGA base on its instruction, but I don't know how to use it's data in my own network or how it can work on my own network data?

pdrieger_splunk · ‎07-30-2019

Hi @sabaKhadivi please see https://answers.splunk.com/answers/711128/how-to-apply-these-trained-data-models-to-actual-d.html

kimikoyan · ‎07-17-2019

I have the same question... Have you worked it out now ?

pdrieger_splunk · ‎01-04-2018

Thanks for sharing your findings stehannan1! This dashboard panel was a little "leftover" on that version - happy to get this into my backlog for the next release. The lower case naming should also be fixed - thanks again for sharing!

stehannan1 · ‎12-20-2017

I was doing some further troubleshooting and found that the confusionmatrix macro which was being referenced in the search was not available for the DGA app, but only to Machine Learning. Once I made it available to all apps I can now do the search from search within the DGA app.

But when I try and use it on the third dashboard page I still get a message saying waiting for input on the last panel. Which is odd to me since I can enter the search behind the panel and get results.

I also notice that the search has the first quotation mark highlighted in red as if there was some formatting issue.

stehannan1 · ‎12-20-2017

Okay, so it looks like everything besides that one panel is working once I made that macro available to all apps. But, I noticed that the Input "Machine Learning Algorithm" within static options had the algorithm SupportVectorMachine had an incorrect value of "dga_SVM" when it should be all lower-case "dga_svm". That change allowed me to see all 4 algorithms operationalized on that dashboard.

I am currently waiting for the other models to build which say it should take 2-3 hours.

DGA App for Splunk: Trouble setting up the Create Machine Learning Models dashboard

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk