Get anomaly records for an anomaly detection job | Elasticsearch API documentation (original) (raw)

Dismiss highlight Show more

Query parameters

• If true, the results are sorted in descending order.
• Returns records with timestamps earlier than this time. The default value means results are not limited to specific timestamps.
• If true, the output excludes interim results.
• Skips the specified number of records.
• Returns records with anomaly scores greater or equal than this value.
• Specifies the maximum number of records to obtain.
• Specifies the sort field for the requested records.
• Returns records with timestamps after this time. The default value means results are not limited to specific timestamps.

application/json

Body

• Refer to the description for the desc query parameter.

• end string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
Time unit for milliseconds

• Refer to the description for the exclude_interim query parameter.
• Hide page attributes Show page attributes object
  • Skips the specified number of items.
  • Specifies the maximum number of items to obtain.
• Refer to the description for the record_score query parameter.
• Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

• start string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
Time unit for milliseconds

Responses

• 200 application/json
  Hide response attributes Show response attributes object
  • Hide records attributes Show records attributes object
    * The actual value for the bucket.
    * Hide anomaly_score_explanation attributes Show anomaly_score_explanation attributes object
    * Impact from the duration and magnitude of the detected anomaly relative to the historical average.
    * Length of the detected anomaly in the number of buckets.
    * Type of the detected anomaly: spike or dip.
    * Indicates reduction of anomaly score for the bucket with large confidence intervals. If a bucket has large confidence intervals, the score is reduced.
    * If the bucket contains fewer samples than expected, the score is reduced.
    * Lower bound of the 95% confidence interval.
    * Impact of the deviation between actual and typical values in the past 12 buckets.
    * Impact of the deviation between actual and typical values in the current bucket.
    * Typical (expected) value for this bucket.
    * Upper bound of the 95% confidence interval.
    * Time unit for seconds
    * The field used to split the data. In particular, this property is used for analyzing the splits with respect to their own history. It is used for finding unusual values in the context of the split.
    * The value of by_field_name.
    * For population analysis, an over field must be specified in the detector. This property contains an array of anomaly records that are the causes for the anomaly that has been identified for the over field. This sub-resource contains the most anomalous records for the over_field_name. For scalability reasons, a maximum of the 10 most significant causes of the anomaly are returned. As part of the core analytical modeling, these low-level anomaly records are aggregated for their parent over field record. The causes resource contains similar elements to the record resource, namely actual, typical, geo_results.actual_point, geo_results.typical_point, *_field_name and *_field_value. Probability and scores are not applicable to causes.
    Hide causes attributes Show causes attributes object
    * Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
    * Hide geo_results attributes Show geo_results attributes object
    * The actual value for the bucket formatted as a geo_point.
    * The typical value for the bucket formatted as a geo_point.
    * A unique identifier for the detector.
    * Certain functions require a field to operate on, for example, sum(). For those functions, this value is the name of the field to be analyzed.
    * The function in which the anomaly occurs, as specified in the detector configuration. For example, max.
    * The description of the function in which the anomaly occurs, as specified in the detector configuration.
    * Hide geo_results attributes Show geo_results attributes object
    * The actual value for the bucket formatted as a geo_point.
    * The typical value for the bucket formatted as a geo_point.
    * If influencers were specified in the detector configuration, this array contains influencers that contributed to or were to blame for an anomaly.
    Hide influencers attributes Show influencers attributes object
    * A normalized score between 0-100, which is based on the probability of the anomalousness of this record. This is the initial value that was calculated at the time the bucket was processed.
    * If true, this is an interim result. In other words, the results are calculated based on partial input data.
    * Identifier for the anomaly detection job.
    * The field used to split the data. In particular, this property is used for analyzing the splits with respect to the history of all splits. It is used for finding unusual values in the population of all splits.
    * The value of over_field_name.
    * The field used to segment the analysis. When you use this property, you have completely independent baselines for each value of this field.
    * The value of partition_field_name.
    * The probability of the individual anomaly occurring, in the range 0 to 1. For example, 0.0000772031. This value can be held to a high precision of over 300 decimal places, so the record_score is provided as a human-readable and friendly interpretation of this.
    * A normalized score between 0-100, which is based on the probability of the anomalousness of this record. Unlike initial_record_score, this value will be updated by a re-normalization process as new data is analyzed.
    * Internal. This is always set to record.
    * Time unit for milliseconds
    * The typical value for the bucket, according to analytical modeling.