Get anomaly detection jobs Generally available; Added in 7.7.0

GET /_cat/ml/anomaly_detectors

Get configuration and usage information for anomaly detection jobs. This API returns a maximum of 10,000 jobs. If the Elasticsearch security features are enabled, you must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get anomaly detection job statistics API. ##Required authorization

  • Cluster privileges: monitor_ml

Query parameters

  • allow_no_match boolean

    Specifies what to do when the request:

    • Contains wildcard expressions and there are no jobs that match.
    • Contains the _all string or no identifiers and there are no matches.
    • Contains wildcard expressions and there are only partial matches.

    If true, the API returns an empty jobs array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.

  • bytes string

    The unit used to display byte values.

    Values are b, kb, mb, gb, tb, or pb.

  • h string | array[string]

    Comma-separated list of column names to display.

    Values are assignment_explanation, ae, buckets.count, bc, bucketsCount, buckets.time.exp_avg, btea, bucketsTimeExpAvg, buckets.time.exp_avg_hour, bteah, bucketsTimeExpAvgHour, buckets.time.max, btmax, bucketsTimeMax, buckets.time.min, btmin, bucketsTimeMin, buckets.time.total, btt, bucketsTimeTotal, data.buckets, db, dataBuckets, data.earliest_record, der, dataEarliestRecord, data.empty_buckets, deb, dataEmptyBuckets, data.input_bytes, dib, dataInputBytes, data.input_fields, dif, dataInputFields, data.input_records, dir, dataInputRecords, data.invalid_dates, did, dataInvalidDates, data.last, dl, dataLast, data.last_empty_bucket, dleb, dataLastEmptyBucket, data.last_sparse_bucket, dlsb, dataLastSparseBucket, data.latest_record, dlr, dataLatestRecord, data.missing_fields, dmf, dataMissingFields, data.out_of_order_timestamps, doot, dataOutOfOrderTimestamps, data.processed_fields, dpf, dataProcessedFields, data.processed_records, dpr, dataProcessedRecords, data.sparse_buckets, dsb, dataSparseBuckets, forecasts.memory.avg, fmavg, forecastsMemoryAvg, forecasts.memory.max, fmmax, forecastsMemoryMax, forecasts.memory.min, fmmin, forecastsMemoryMin, forecasts.memory.total, fmt, forecastsMemoryTotal, forecasts.records.avg, fravg, forecastsRecordsAvg, forecasts.records.max, frmax, forecastsRecordsMax, forecasts.records.min, frmin, forecastsRecordsMin, forecasts.records.total, frt, forecastsRecordsTotal, forecasts.time.avg, ftavg, forecastsTimeAvg, forecasts.time.max, ftmax, forecastsTimeMax, forecasts.time.min, ftmin, forecastsTimeMin, forecasts.time.total, ftt, forecastsTimeTotal, forecasts.total, ft, forecastsTotal, id, model.bucket_allocation_failures, mbaf, modelBucketAllocationFailures, model.by_fields, mbf, modelByFields, model.bytes, mb, modelBytes, model.bytes_exceeded, mbe, modelBytesExceeded, model.categorization_status, mcs, modelCategorizationStatus, model.categorized_doc_count, mcdc, modelCategorizedDocCount, model.dead_category_count, mdcc, modelDeadCategoryCount, model.failed_category_count, modelFailedCategoryCount, model.frequent_category_count, mfcc, modelFrequentCategoryCount, model.log_time, mlt, modelLogTime, model.memory_limit, mml, modelMemoryLimit, model.memory_status, mms, modelMemoryStatus, model.over_fields, mof, modelOverFields, model.partition_fields, mpf, modelPartitionFields, model.rare_category_count, mrcc, modelRareCategoryCount, model.timestamp, mt, modelTimestamp, model.total_category_count, mtcc, modelTotalCategoryCount, node.address, na, nodeAddress, node.ephemeral_id, ne, nodeEphemeralId, node.id, ni, nodeId, node.name, nn, nodeName, opened_time, ot, state, or s.

  • s string | array[string]

    Comma-separated list of column names or column aliases used to sort the response.

    Values are assignment_explanation, ae, buckets.count, bc, bucketsCount, buckets.time.exp_avg, btea, bucketsTimeExpAvg, buckets.time.exp_avg_hour, bteah, bucketsTimeExpAvgHour, buckets.time.max, btmax, bucketsTimeMax, buckets.time.min, btmin, bucketsTimeMin, buckets.time.total, btt, bucketsTimeTotal, data.buckets, db, dataBuckets, data.earliest_record, der, dataEarliestRecord, data.empty_buckets, deb, dataEmptyBuckets, data.input_bytes, dib, dataInputBytes, data.input_fields, dif, dataInputFields, data.input_records, dir, dataInputRecords, data.invalid_dates, did, dataInvalidDates, data.last, dl, dataLast, data.last_empty_bucket, dleb, dataLastEmptyBucket, data.last_sparse_bucket, dlsb, dataLastSparseBucket, data.latest_record, dlr, dataLatestRecord, data.missing_fields, dmf, dataMissingFields, data.out_of_order_timestamps, doot, dataOutOfOrderTimestamps, data.processed_fields, dpf, dataProcessedFields, data.processed_records, dpr, dataProcessedRecords, data.sparse_buckets, dsb, dataSparseBuckets, forecasts.memory.avg, fmavg, forecastsMemoryAvg, forecasts.memory.max, fmmax, forecastsMemoryMax, forecasts.memory.min, fmmin, forecastsMemoryMin, forecasts.memory.total, fmt, forecastsMemoryTotal, forecasts.records.avg, fravg, forecastsRecordsAvg, forecasts.records.max, frmax, forecastsRecordsMax, forecasts.records.min, frmin, forecastsRecordsMin, forecasts.records.total, frt, forecastsRecordsTotal, forecasts.time.avg, ftavg, forecastsTimeAvg, forecasts.time.max, ftmax, forecastsTimeMax, forecasts.time.min, ftmin, forecastsTimeMin, forecasts.time.total, ftt, forecastsTimeTotal, forecasts.total, ft, forecastsTotal, id, model.bucket_allocation_failures, mbaf, modelBucketAllocationFailures, model.by_fields, mbf, modelByFields, model.bytes, mb, modelBytes, model.bytes_exceeded, mbe, modelBytesExceeded, model.categorization_status, mcs, modelCategorizationStatus, model.categorized_doc_count, mcdc, modelCategorizedDocCount, model.dead_category_count, mdcc, modelDeadCategoryCount, model.failed_category_count, modelFailedCategoryCount, model.frequent_category_count, mfcc, modelFrequentCategoryCount, model.log_time, mlt, modelLogTime, model.memory_limit, mml, modelMemoryLimit, model.memory_status, mms, modelMemoryStatus, model.over_fields, mof, modelOverFields, model.partition_fields, mpf, modelPartitionFields, model.rare_category_count, mrcc, modelRareCategoryCount, model.timestamp, mt, modelTimestamp, model.total_category_count, mtcc, modelTotalCategoryCount, node.address, na, nodeAddress, node.ephemeral_id, ne, nodeEphemeralId, node.id, ni, nodeId, node.name, nn, nodeName, opened_time, ot, state, or s.

  • time string

    The unit used to display time values.

    Values are nanos, micros, ms, s, m, h, or d.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • id string
    • state string

      Values are closing, closed, opened, failed, or opening.

    • opened_time string

      For open jobs only, the amount of time the job has been opened.

    • assignment_explanation string

      For open anomaly detection jobs only, contains messages relating to the selection of a node to run the job.

    • data.processed_records string

      The number of input documents that have been processed by the anomaly detection job. This value includes documents with missing fields, since they are nonetheless analyzed. If you use datafeeds and have aggregations in your search query, the processed_record_count is the number of aggregation results processed, not the number of Elasticsearch documents.

    • data.processed_fields string

      The total number of fields in all the documents that have been processed by the anomaly detection job. Only fields that are specified in the detector configuration object contribute to this count. The timestamp is not included in this count.

    • data.input_bytes number | string

      One of:
      ByteSize number ByteSize string
    • data.input_records string

      The number of input documents posted to the anomaly detection job.

    • data.input_fields string

      The total number of fields in input documents posted to the anomaly detection job. This count includes fields that are not used in the analysis. However, be aware that if you are using a datafeed, it extracts only the required fields from the documents it retrieves before posting them to the job.

    • data.invalid_dates string

      The number of input documents with either a missing date field or a date that could not be parsed.

    • data.missing_fields string

      The number of input documents that are missing a field that the anomaly detection job is configured to analyze. Input documents with missing fields are still processed because it is possible that not all fields are missing. If you are using datafeeds or posting data to the job in JSON format, a high missing_field_count is often not an indication of data issues. It is not necessarily a cause for concern.

    • data.out_of_order_timestamps string

      The number of input documents that have a timestamp chronologically preceding the start of the current anomaly detection bucket offset by the latency window. This information is applicable only when you provide data to the anomaly detection job by using the post data API. These out of order documents are discarded, since jobs require time series data to be in ascending chronological order.

    • data.empty_buckets string

      The number of buckets which did not contain any data. If your data contains many empty buckets, consider increasing your bucket_span or using functions that are tolerant to gaps in data such as mean, non_null_sum or non_zero_count.

    • data.sparse_buckets string

      The number of buckets that contained few data points compared to the expected number of data points. If your data contains many sparse buckets, consider using a longer bucket_span.

    • data.buckets string

      The total number of buckets processed.

    • data.earliest_record string

      The timestamp of the earliest chronologically input document.

    • data.latest_record string

      The timestamp of the latest chronologically input document.

    • data.last string

      The timestamp at which data was last analyzed, according to server time.

    • data.last_empty_bucket string

      The timestamp of the last bucket that did not contain any data.

    • data.last_sparse_bucket string

      The timestamp of the last bucket that was considered sparse.

    • model.bytes number | string

      One of:
      ByteSize number ByteSize string
    • model.memory_status string

      Values are ok, soft_limit, or hard_limit.

    • model.bytes_exceeded number | string

      One of:
      ByteSize number ByteSize string
    • model.memory_limit string

      The upper limit for model memory usage, checked on increasing values.

    • model.by_fields string

      The number of by field values that were analyzed by the models. This value is cumulative for all detectors in the job.

    • model.over_fields string

      The number of over field values that were analyzed by the models. This value is cumulative for all detectors in the job.

    • model.partition_fields string

      The number of partition field values that were analyzed by the models. This value is cumulative for all detectors in the job.

    • model.bucket_allocation_failures string

      The number of buckets for which new entities in incoming data were not processed due to insufficient model memory. This situation is also signified by a hard_limit: memory_status property value.

    • model.categorization_status string

      Values are ok or warn.

    • model.categorized_doc_count string

      The number of documents that have had a field categorized.

    • model.total_category_count string

      The number of categories created by categorization.

    • model.frequent_category_count string

      The number of categories that match more than 1% of categorized documents.

    • model.rare_category_count string

      The number of categories that match just one categorized document.

    • model.dead_category_count string

      The number of categories created by categorization that will never be assigned again because another category’s definition makes it a superset of the dead category. Dead categories are a side effect of the way categorization has no prior training.

    • model.failed_category_count string

      The number of times that categorization wanted to create a new category but couldn’t because the job had hit its model_memory_limit. This count does not track which specific categories failed to be created. Therefore you cannot use this value to determine the number of unique categories that were missed.

    • model.log_time string

      The timestamp when the model stats were gathered, according to server time.

    • model.timestamp string

      The timestamp of the last record when the model stats were gathered.

    • forecasts.total string

      The number of individual forecasts currently available for the job. A value of one or more indicates that forecasts exist.

    • forecasts.memory.min string

      The minimum memory usage in bytes for forecasts related to the anomaly detection job.

    • forecasts.memory.max string

      The maximum memory usage in bytes for forecasts related to the anomaly detection job.

    • forecasts.memory.avg string

      The average memory usage in bytes for forecasts related to the anomaly detection job.

    • forecasts.memory.total string

      The total memory usage in bytes for forecasts related to the anomaly detection job.

    • forecasts.records.min string

      The minimum number of model_forecast documents written for forecasts related to the anomaly detection job.

    • forecasts.records.max string

      The maximum number of model_forecast documents written for forecasts related to the anomaly detection job.

    • forecasts.records.avg string

      The average number of model_forecast documents written for forecasts related to the anomaly detection job.

    • forecasts.records.total string

      The total number of model_forecast documents written for forecasts related to the anomaly detection job.

    • forecasts.time.min string

      The minimum runtime in milliseconds for forecasts related to the anomaly detection job.

    • forecasts.time.max string

      The maximum runtime in milliseconds for forecasts related to the anomaly detection job.

    • forecasts.time.avg string

      The average runtime in milliseconds for forecasts related to the anomaly detection job.

    • forecasts.time.total string

      The total runtime in milliseconds for forecasts related to the anomaly detection job.

    • node.id string
    • node.name string

      The name of the assigned node.

    • node.ephemeral_id string
    • node.address string

      The network address of the assigned node.

    • buckets.count string

      The number of bucket results produced by the job.

    • buckets.time.total string

      The sum of all bucket processing times, in milliseconds.

    • buckets.time.min string

      The minimum of all bucket processing times, in milliseconds.

    • buckets.time.max string

      The maximum of all bucket processing times, in milliseconds.

    • buckets.time.exp_avg string

      The exponential moving average of all bucket processing times, in milliseconds.

    • buckets.time.exp_avg_hour string

      The exponential moving average of bucket processing times calculated in a one hour time window, in milliseconds.
GET /_cat/ml/anomaly_detectors 
GET _cat/ml/anomaly_detectors?h=id,s,dpr,mb&v=true&format=json

curl \
 --request GET 'http://api.example.com/_cat/ml/anomaly_detectors'
Response examples (200)
A successful response from `GET _cat/ml/anomaly_detectors?h=id,s,dpr,mb&v=true&format=json`. 
[
  {
    "id": "high_sum_total_sales",
    "s": "closed",
    "dpr": "14022",
    "mb": "1.5mb"
  },
  {
    "id": "low_request_rate",
    "s": "closed",
    "dpr": "1216",
    "mb": "40.5kb"
  },
  {
    "id": "response_code_rates",
    "s": "closed",
    "dpr": "28146",
    "mb": "132.7kb"
  },
  {
    "id": "url_scanning",
    "s": "closed",
    "dpr": "28146",
    "mb": "501.6kb"
  }
]

Documentation preview

This is a preview of your version @2025-06-09 which is not yet released.

View current documentation