elastic · colleenmcginnis · Feb 10, 2025 · Feb 7, 2025 · Feb 7, 2025 · Feb 10, 2025
@@ -1,6 +1,7 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-restore-snapshots-containing-searchable-snapshots-indices-across-clusters.html
+  - https://www.elastic.co/guide/en/cloud/current/ec-restore-snapshots-containing-searchable-snapshots-indices-across-clusters.html
 ---
 
 # Restore snapshots containing searchable snapshots indices across clusters [ece-restore-snapshots-containing-searchable-snapshots-indices-across-clusters]
@@ -22,7 +23,7 @@ Pre-requisites for restoring snapshots containing searchable snapshot indices ac
     Previous versions had issues restoring the snapshot or recovering searchable snapshot indices in case of, for example, node failure.
 
 
-::::{important} 
+::::{important}
 The snapshot in the source cluster MUST NOT be deleted even after being successfully restored in the destination cluster. In fact, that’s also the case for the searchable snapshots in the source cluster for which there were indices backed by the restored snapshot. These snapshots are required for recovery of the searchable snapshot indices in case of, for example, node failure.
 
 This means that until you delete the searchable snapshot indices in the destination cluster, you must not delete your source deployment, delete the restored snapshot, or delete any of the searchable snapshots used by the searchable snapshot indices.

@@ -1,6 +1,7 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-restore-snapshots-into-existing-deployment.html
+  - https://www.elastic.co/guide/en/cloud/current/ec-restore-snapshots-into-existing-deployment.html
 ---
 
 # Restore snapshot into an existing deployment [ece-restore-snapshots-into-existing-deployment]

@@ -1,6 +1,7 @@
 ---
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-restore-snapshots-into-new-deployment.html
+  - https://www.elastic.co/guide/en/cloud/current/ec-restore-snapshots-into-new-deployment.html
 ---
 
 # Restore snapshot into a new deployment [ece-restore-snapshots-into-new-deployment]

@@ -13,7 +13,7 @@ Though it is quite simple to analyze your data and provide quick {{ml}} results,
 * [Using runtime fields in {{dfeeds}}](ml-configuring-transform.md)
 * [Customizing detectors with custom rules](ml-configuring-detector-custom-rules.md)
 * [Detecting anomalous categories of data](ml-configuring-categories.md)
-* [Performing population analysis](https://www.elastic.co/guide/en/machine-learning/current/ml-configuring-populations.html)
+* [Performing population analysis](ml-configuring-populations.md)
 * [Reverting to a model snapshot](ml-reverting-model-snapshot.md)
 * [Detecting anomalous locations in geographic data](geographic-anomalies.md)
 * [Mapping anomalies by location](mapping-anomalies.md)

@@ -0,0 +1,89 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/machine-learning/current/ml-configuring-populations.html
+---
+
+# Performing population analysis [ml-configuring-populations]
+
+Population analysis is a method of detecting anomalies by comparing the behavior of entities or events within a specified population. In this approach, {{ml}} analytics create a profile of what is considered "typical" behavior for users, machines, or other entities over a specified time period. An entity is considered as anomalous when its behavior deviates from that of the population, indicating abnormal activity compared to the rest of the population.
+
+This type of analysis is most effective when the behavior within a group is generally homogeneous, allowing for the identification of unusual patterns. However, it is less useful when members of the population show vastly different behaviors. In such cases, you can segment your data into groups with similar behaviors and run separate jobs for each. This can be done by using a query filter in the datafeed or by applying the `partition_field_name` to split the analysis across different groups.
+
+Population analysis is resource-efficient and scales well, enabling the analysis of populations consisting of hundreds of thousands or even millions of entities with a lower resource footprint than analyzing each series individually.
+
+
+## Recommendations [population-recommendations]
+
+* Use population analysis when the behavior within a group is mostly homogeneous, as it helps identify anomalous patterns effectively.
+* Leverage population analysis when dealing with large-scale datasets.
+* Avoid using population analysis when members of the population exhibit vastly different behaviors, as it may not be effective.
+
+
+## Creating population jobs [creating-population-jobs]
+
+1. In {{kib}}, navigate to **Jobs**. To open **Jobs**, find **{{ml-app}} > Anomaly Detection** in the main menu, or use the [global search field](https://www.elastic.co/guide/en/kibana/current/kibana-concepts-analysts.html#_finding_your_apps_and_objects).
+2. Click **Create job**, select the {{data-source}} you want to analyze.
+3. Select the **Population** wizard from the list.
+4. Choose a population field - it’s the `clientip` field in this example - and the metric you want to use for the analysis - `Mean(bytes)` in this example.
+
+    :::{image} images/ml-population-wizard.png
+    :alt: Creating a population job in Kibana
+    :class: screenshot
+    :::
+
+5. Click **Next**.
+6. Provide a job ID and click **Next**.
+7. If the validation is successful, click **Next** to review the summary of the job creation.
+8. Click **Create job**.
+
+::::{dropdown} API example
+To specify the population, use the `over_field_name` property. For example:
+
+```console
+PUT _ml/anomaly_detectors/population
+{
+  "description" : "Population analysis",
+  "analysis_config" : {
+    "bucket_span":"15m",
+    "influencers": [
+      "clientip"
+    ],
+    "detectors": [
+      {
+        "function": "mean",
+        "field_name": "bytes",
+        "over_field_name": "clientip" <1>
+      }
+    ]
+  },
+  "data_description" : {
+    "time_field":"timestamp",
+    "time_format": "epoch_ms"
+  }
+}
+```
+
+1. This `over_field_name` property indicates that the metrics for each client (as identified by their IP address) are analyzed relative to other clients in each bucket.
+
+
+::::
+
+
+
+### Viewing the job results [population-job-results]
+
+Use the **Anomaly Explorer** in {{kib}} to view the analysis results:
+
+:::{image} ../../../images/machine-learning-ml-population-anomalies.png
+:alt: Population results in the Anomaly Explorer
+:class: screenshot
+:::
+
+The results are often quite sparse. There might be just a few data points for the selected time period. Population analysis is particularly useful when you have many entities and the data for specific entitles is sporadic or sparse. If you click on a section in the timeline or swim lanes, you can see more details about the anomalies:
+
+:::{image} ../../../images/machine-learning-ml-population-anomaly.png
+:alt: Anomaly details for a specific user
+:class: screenshot
+:::
+
+In this example, the client IP address `167.145.234.154` received a high volume of bytes on the date and time shown. This event is anomalous because the mean is four times higher than the expected behavior of the population.
diff --git a/...chine-learning/machine-learning-in-kibana/observability-aiops-analyze-spikes.md b/...chine-learning/machine-learning-in-kibana/observability-aiops-analyze-spikes.md
@@ -0,0 +1,58 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/serverless/current/observability-aiops-analyze-spikes.html
+---
+
+# Analyze log spikes and drops [observability-aiops-analyze-spikes]
+
+{{obs-serverless}} provides built-in log rate analysis capabilities, based on advanced statistical methods, to help you find and investigate the causes of unusual spikes or drops in log rates.
+
+To analyze log spikes and drops:
+
+1. In your {{obs-serverless}} project, go to **Machine learning** → **Log rate analysis**.
+2. Choose a data view or saved search to access the log data you want to analyze.
+3. In the histogram chart, click a spike (or drop) and then run the analysis.
+
+    :::{image} images/log-rate-histogram.png
+    :alt: Histogram showing log spikes and drops
+    :class: screenshot
+    :::
+
+    When the analysis runs, it identifies statistically significant field-value combinations that contribute to the spike or drop, and then displays them in a table:
+
+    :::{image} images/log-rate-analysis-results.png
+    :alt: Histogram showing log spikes and drops
+    :class: screenshot
+    :::
+
+    Notice that you can optionally turn on **Smart grouping** to summarize the results into groups. You can also click **Filter fields** to remove fields that are not relevant.
+
+    The table shows an indicator of the level of impact and a sparkline showing the shape of the impact in the chart.
+
+4. Select a row to display the impact of the field on the histogram chart.
+5. From the **Actions** menu in the table, you can choose to view the field in **Discover**, view it in [Log Pattern Analysis](observability-aiops-analyze-spikes.md#log-pattern-analysis), or copy the table row information to the clipboard as a query filter.
+
+To pin a table row, click the row, then move the cursor to the histogram chart. It displays a tooltip with exact count values for the pinned field which enables closer investigation.
+
+Brushes in the chart show the baseline time range and the deviation in the analyzed data. You can move the brushes to redefine both the baseline and the deviation and rerun the analysis with the modified values.
+
+
+## Log pattern analysis [log-pattern-analysis]
+
+Use log pattern analysis to find patterns in unstructured log messages and examine your data. When you run a log pattern analysis, it performs categorization analysis on a selected field, creates categories based on the data, and then displays them together in a chart. The chart shows the distribution of each category and an example document that matches the category. Log pattern analysis is useful when you want to examine how often different types of logs appear in your data set. It also helps you group logs in ways that go beyond what you can achieve with a terms aggregation.
+
+To run log pattern analysis:
+
+1. Follow the steps under [Analyze log spikes and drops](observability-aiops-analyze-spikes.md) to run a log rate analysis.
+2. From the **Actions** menu, choose **View in Log Pattern Analysis**.
+3. Select a category field and optionally apply any filters that you want.
+4. Click **Run pattern analysis**.
+
+    The results of the analysis are shown in a table:
+
+    :::{image} images/log-pattern-analysis.png
+    :alt: Log pattern analysis of the message field
+    :class: screenshot
+    :::
+
+5. From the **Actions** menu, click the plus (or minus) icon to open **Discover** and show (or filter out) the given category there, which helps you to further examine your log messages.