|
| 1 | +--- |
| 2 | +mapped_pages: |
| 3 | + - https://www.elastic.co/guide/en/machine-learning/master/ml-configuring-populations.html |
| 4 | +--- |
| 5 | + |
| 6 | +# Performing population analysis [ml-configuring-populations] |
| 7 | + |
| 8 | +Population analysis is a method of detecting anomalies by comparing the behavior of entities or events within a specified population. In this approach, {{ml}} analytics create a profile of what is considered "typical" behavior for users, machines, or other entities over a specified time period. An entity is considered as anomalous when its behavior deviates from that of the population, indicating abnormal activity compared to the rest of the population. |
| 9 | + |
| 10 | +This type of analysis is most effective when the behavior within a group is generally homogeneous, allowing for the identification of unusual patterns. However, it is less useful when members of the population show vastly different behaviors. In such cases, you can segment your data into groups with similar behaviors and run separate jobs for each. This can be done by using a query filter in the datafeed or by applying the `partition_field_name` to split the analysis across different groups. |
| 11 | + |
| 12 | +Population analysis is resource-efficient and scales well, enabling the analysis of populations consisting of hundreds of thousands or even millions of entities with a lower resource footprint than analyzing each series individually. |
| 13 | + |
| 14 | + |
| 15 | +## Recommendations [population-recommendations] |
| 16 | + |
| 17 | +* Use population analysis when the behavior within a group is mostly homogeneous, as it helps identify anomalous patterns effectively. |
| 18 | +* Leverage population analysis when dealing with large-scale datasets. |
| 19 | +* Avoid using population analysis when members of the population exhibit vastly different behaviors, as it may not be effective. |
| 20 | + |
| 21 | + |
| 22 | +## Creating population jobs [creating-population-jobs] |
| 23 | + |
| 24 | +1. In {{kib}}, navigate to **Jobs**. To open **Jobs**, find **{{ml-app}} > Anomaly Detection** in the main menu, or use the [global search field](https://www.elastic.co/guide/en/kibana/current/kibana-concepts-analysts.html#_finding_your_apps_and_objects). |
| 25 | +2. Click **Create job**, select the {{data-source}} you want to analyze. |
| 26 | +3. Select the **Population** wizard from the list. |
| 27 | +4. Choose a population field - it’s the `clientip` field in this example - and the metric you want to use for the analysis - `Mean(bytes)` in this example. |
| 28 | + |
| 29 | + :::{image} ../../../images/machine-learning-ml-population-wizard.png |
| 30 | + :alt: Creating a population job in Kibana |
| 31 | + :class: screenshot |
| 32 | + ::: |
| 33 | + |
| 34 | +5. Click **Next**. |
| 35 | +6. Provide a job ID and click **Next**. |
| 36 | +7. If the validation is successful, click **Next** to review the summary of the job creation. |
| 37 | +8. Click **Create job**. |
| 38 | + |
| 39 | +::::{dropdown} API example |
| 40 | +To specify the population, use the `over_field_name` property. For example: |
| 41 | + |
| 42 | +```console |
| 43 | +PUT _ml/anomaly_detectors/population |
| 44 | +{ |
| 45 | + "description" : "Population analysis", |
| 46 | + "analysis_config" : { |
| 47 | + "bucket_span":"15m", |
| 48 | + "influencers": [ |
| 49 | + "clientip" |
| 50 | + ], |
| 51 | + "detectors": [ |
| 52 | + { |
| 53 | + "function": "mean", |
| 54 | + "field_name": "bytes", |
| 55 | + "over_field_name": "clientip" <1> |
| 56 | + } |
| 57 | + ] |
| 58 | + }, |
| 59 | + "data_description" : { |
| 60 | + "time_field":"timestamp", |
| 61 | + "time_format": "epoch_ms" |
| 62 | + } |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +1. This `over_field_name` property indicates that the metrics for each client (as identified by their IP address) are analyzed relative to other clients in each bucket. |
| 67 | + |
| 68 | + |
| 69 | +:::: |
| 70 | + |
| 71 | + |
| 72 | + |
| 73 | +### Viewing the job results [population-job-results] |
| 74 | + |
| 75 | +Use the **Anomaly Explorer** in {{kib}} to view the analysis results: |
| 76 | + |
| 77 | +:::{image} ../../../images/machine-learning-ml-population-anomalies.png |
| 78 | +:alt: Population results in the Anomaly Explorer |
| 79 | +:class: screenshot |
| 80 | +::: |
| 81 | + |
| 82 | +The results are often quite sparse. There might be just a few data points for the selected time period. Population analysis is particularly useful when you have many entities and the data for specific entitles is sporadic or sparse. If you click on a section in the timeline or swim lanes, you can see more details about the anomalies: |
| 83 | + |
| 84 | +:::{image} ../../../images/machine-learning-ml-population-anomaly.png |
| 85 | +:alt: Anomaly details for a specific user |
| 86 | +:class: screenshot |
| 87 | +::: |
| 88 | + |
| 89 | +In this example, the client IP address `167.145.234.154` received a high volume of bytes on the date and time shown. This event is anomalous because the mean is four times higher than the expected behavior of the population. |
0 commit comments