Get anomaly detection jobs APIedit

Retrieves configuration information for anomaly detection jobs.


GET _ml/anomaly_detectors/<job_id>

GET _ml/anomaly_detectors/<job_id>,<job_id>

GET _ml/anomaly_detectors/

GET _ml/anomaly_detectors/_all



You can get information for multiple anomaly detection jobs in a single API request by using a group name, a comma-separated list of jobs, or a wildcard expression. You can get information for all anomaly detection jobs by using _all, by specifying * as the <job_id>, or by omitting the <job_id>.

This API returns a maximum of 10,000 jobs.

Path parametersedit

(Optional, string) Identifier for the anomaly detection job. It can be a job identifier, a group name, or a wildcard expression. If you do not specify one of these options, the API returns information for all anomaly detection jobs.

Query parametersedit

(Optional, Boolean) [7.10] Deprecated in 7.10. Use allow_no_match instead.

(Optional, Boolean) Specifies what to do when the request:

  • Contains wildcard expressions and there are no jobs that match.
  • Contains the _all string or no identifiers and there are no matches.
  • Contains wildcard expressions and there are only partial matches.

The default value is true, which returns an empty jobs array when there are no matches and the subset of results when there are partial matches. If this parameter is false, the request returns a 404 status code when there are no matches or only partial matches.

(Optional, Boolean) Indicates if certain fields should be removed from the configuration on retrieval. This allows the configuration to be in an acceptable format to be retrieved and then added to another cluster. Default is false.

Response bodyedit

The API returns an array of anomaly detection job resources. For the full list of properties, see create anomaly detection jobs API.

(string) The time the job was created. For example, 1491007356077. This property is informational; you cannot change its value.
(string) If the job closed or failed, this is the time the job finished. Otherwise, it is null. This property is informational; you cannot change its value.
(string) Reserved for future use, currently set to anomaly_detector.
(string) The version of Elasticsearch that existed on the node when the job was created.
(string) A numerical character string that uniquely identifies the model snapshot.

Response codesedit

404 (Missing resources)
If allow_no_match is false, this code indicates that there are no resources that match the request or only partial matches for the request.


GET _ml/anomaly_detectors/high_sum_total_sales

The API returns the following results:

  "count": 1,
  "jobs": [
      "job_id" : "high_sum_total_sales",
      "job_type" : "anomaly_detector",
      "job_version" : "7.5.0",
      "groups" : [
      "description" : "Find customers spending an unusually high amount in an hour",
      "create_time" : 1577221534700,
      "analysis_config" : {
        "bucket_span" : "1h",
        "detectors" : [
            "detector_description" : "High total sales",
            "function" : "high_sum",
            "field_name" : "taxful_total_price",
            "over_field_name" : "customer_full_name.keyword",
            "detector_index" : 0
        "influencers" : [
      "analysis_limits" : {
        "model_memory_limit" : "10mb",
        "categorization_examples_limit" : 4
      "data_description" : {
        "time_field" : "order_date",
        "time_format" : "epoch_ms"
      "model_plot_config" : {
        "enabled" : true
      "model_snapshot_retention_days" : 10,
      "daily_model_snapshot_retention_after_days" : 1,
      "custom_settings" : {
        "created_by" : "ml-module-sample",
      "model_snapshot_id" : "1575402237",
      "results_index_name" : "shared",
      "allow_lazy_open" : false