You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 16, 2022. It is now read-only.
Copy file name to clipboardExpand all lines: docs/ad/index.md
+36-4Lines changed: 36 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,12 +55,39 @@ For example, if you choose `min()`, the detector focuses on finding anomalies ba
55
55
You can add a maximum of five features for a detector.
56
56
{: .note }
57
57
58
-
1. On the **Features** page, select **Add features**.
59
-
1. Enter the **Name** of the feature.
58
+
1. On the **Model configuration** page, enter the **Feature name**.
60
59
1. For **Find anomalies based on**, choose the method to find anomalies. For **Field Value** menu, choose the **field** and the **aggregation method**. Or choose **Custom expression**, and add in your own JSON aggregation query.
61
-
1. Preview sample anomalies and adjust the feature settings if needed.
62
-
- For sample previews, the anomaly detection plugin selects a small number of data samples---for example, one data point every 30 minutes---and uses interpolation to estimate the remaining data points to approximate the actual feature data. It loads this sample dataset into the detector. The detector uses this sample dataset to generate a sample preview of anomaly results.
60
+
61
+
#### (Optional) Set a category field
62
+
63
+
You can categorize anomalies based on a keyword or IP field type.
64
+
65
+
If you specify a category in the same time series but sliced with a different dimension like IP addresses, product IDs, country codes, and so on, you’ll see a granular view of anomalies within each entity of that field. This helps to dive deeper into anomalies of a unique entity or ID and isolate and debug issues.
66
+
67
+
To set a category field, choose **Enable a category field** and select a field.
68
+
69
+
Only a certain number of unique entities are supported in the category field. Use the following equation to calculate the recommended total number of entities number supported in a cluster:
70
+
71
+
```
72
+
(JvmHeapSizeInMb / 20) * (DataNodesCount)
73
+
```
74
+
75
+
For example, for a cluster with 3 data nodes, each with 8G of JVM heap size, the total number of unique entities supported is (8096 / 20 ) * 3 = 1200.
76
+
77
+
#### Set a window size
78
+
79
+
Set the number of aggregation intervals from your data stream to consider in a detection window. We recommend you choose this value based on your actual data to see which one leads to the best results for your use case.
80
+
81
+
Based on experiments performed on a wide variety of one-dimensional data streams, we recommend using a window size between 1 and 16. The default window size is 8.
82
+
83
+
If you expect missing values in your data or if you want the anomalies based on the current interval, choose 1. If your data is continuously ingested and you want the anomalies based on multiple intervals, choose a larger window size.
84
+
85
+
#### Preview sample anomalies
86
+
87
+
Preview sample anomalies and adjust the feature settings if needed.
88
+
For sample previews, the anomaly detection plugin selects a small number of data samples---for example, one data point every 30 minutes---and uses interpolation to estimate the remaining data points to approximate the actual feature data. It loads this sample dataset into the detector. The detector uses this sample dataset to generate a sample preview of anomaly results.
63
89
Examine the sample preview and use it to fine-tune your feature configurations, for example, enable or disable features, to get more accurate results.
90
+
64
91
1. Choose **Save and start detector**.
65
92
1. Choose between automatically starting the detector (recommended) or manually starting the detector at a later time.
66
93
@@ -86,6 +113,11 @@ If you see the detector pending in "initialization" for longer than a day, aggre
86
113
87
114
Anomaly grade is a number between 0 and 1 that indicates the level of severity of how anomalous a data point is. An anomaly grade of 0 represents “not an anomaly,” and a non-zero value represents the relative severity of the anomaly. The confidence score is an estimate of the probability that the reported anomaly grade matches the expected anomaly grade. Confidence increases as the model observes more data and learns the data behavior and trends. Note that confidence is distinct from model accuracy.
88
115
116
+
If you set the category field, you see an additional **Heat map** chart. The heat map correlates results for anomalous entities.
117
+
118
+
Choose a filled rectangle to see a more detailed view of the anomaly.
119
+
{: .note }
120
+
89
121
### Step 4: Set up alerts
90
122
91
123
To create a monitor to send you notifications when any anomalies are detected, choose **Set up alerts**.
Copy file name to clipboardExpand all lines: docs/alerting/index.md
-3Lines changed: 0 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,9 +11,6 @@ Kibana
11
11
12
12
The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions. For example, you might want to notify a [Slack](https://slack.com/) channel if your application logs more than five HTTP 503 errors in one hour, or you might want to page a developer if no new documents have been indexed in the past 20 minutes.
13
13
14
-
Monitors run as the `admin` user, which means that monitors can query all documents in all indices and do not consider the roles of the user who created the monitor. If your cluster contains sensitive data, we recommend [removing the alerting plugin](../install/plugins/#remove-plugins).
15
-
{: .warning }
16
-
17
14
To get started, choose **Alerting** in Kibana.
18
15
19
16
0 commit comments