The default correlation searches that use XS in ES are updated for you. The main commands that are replacing the XS commands are fit and apply. The MLTK data does not grow as large, and remains more relevant to the current timeframe. MLTK does not merge the daily data, but replaces it with every run. MLTK also runs on a schedule, such as daily, but over a bigger time window. Then XS stores its models, and many of the searches merge daily data into those models, so that the historical data grows bigger over the course of a year. As an example, XS runs on a schedule, such as daily, over a short time window. In an effort to improve performance and save space as compared to XS, MLTK behaves differently. See Welcome to the Machine Learning Toolkit in the Splunk Machine Learning Toolkit User Guide. MLTK can scale at larger volume and also can identify more abnormal events through its models. The Splunk Machine Learning Toolkit (MLTK) is replacing Extreme Search (XS) as a model generation package in Enterprise Security (ES). Machine Learning Toolkit Overview in Splunk Enterprise Security
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |