Create anomaly detection jobs APIedit

Instantiates an anomaly detection job.

Requestedit

PUT _ml/anomaly_detectors/<job_id>

Prerequisitesedit

  • If the Elasticsearch security features are enabled, you must have manage_ml or manage cluster privileges to use this API. See Security privileges.

Descriptionedit

You must use Kibana or this API to create an anomaly detection job. Do not put a job directly to the .ml-config index using the Elasticsearch index API. If Elasticsearch security features are enabled, do not give users write privileges on the .ml-config index.

Path parametersedit

<job_id>
(Required, string) Identifier for the anomaly detection job. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters.

Request bodyedit

allow_lazy_open
(Optional, boolean) Advanced configuration option. Specifies whether this job can open when there is insufficient machine learning node capacity for it to be immediately assigned to a node. The default value is false; if a machine learning node with capacity to run the job cannot immediately be found, the open anomaly detection jobs API returns an error. However, this is also subject to the cluster-wide xpack.ml.max_lazy_ml_nodes setting; see Advanced machine learning settings. If this option is set to true, the open anomaly detection jobs API does not return an error and the job waits in the opening state until sufficient machine learning node capacity is available.
analysis_config

(Required, object) The analysis configuration, which specifies how to analyze the data. After you create a job, you cannot change the analysis configuration; all the properties are informational.

Properties of analysis_config
bucket_span
(time units) The size of the interval that the analysis is aggregated into, typically between 5m and 1h. The default value is 5m. If the anomaly detection job uses a datafeed with aggregations, this value must be divisible by the interval of the date histogram aggregation. For more information, see Buckets.
categorization_analyzer

(object or string) If categorization_field_name is specified, you can also define the analyzer that is used to interpret the categorization field. This property cannot be used at the same time as categorization_filters. The categorization analyzer specifies how the categorization_field is interpreted by the categorization process. The syntax is very similar to that used to define the analyzer in the Analyze endpoint. For more information, see Categorizing log messages.

The categorization_analyzer field can be specified either as a string or as an object. If it is a string it must refer to a built-in analyzer or one added by another plugin. If it is an object it has the following properties:

Properties of categorization_analyzer
char_filter
(array of strings or objects) One or more character filters. In addition to the built-in character filters, other plugins can provide more character filters. This property is optional. If it is not specified, no character filters are applied prior to categorization. If you are customizing some other aspect of the analyzer and you need to achieve the equivalent of categorization_filters (which are not permitted when some other aspect of the analyzer is customized), add them here as pattern replace character filters.
tokenizer
(string or object) The name or definition of the tokenizer to use after character filters are applied. This property is compulsory if categorization_analyzer is specified as an object. Machine learning provides a tokenizer called ml_classic that tokenizes in the same way as the non-customizable tokenizer in older versions of the product. If you want to use that tokenizer but change the character or token filters, specify "tokenizer": "ml_classic" in your categorization_analyzer.
filter
(array of strings or objects) One or more token filters. In addition to the built-in token filters, other plugins can provide more token filters. This property is optional. If it is not specified, no token filters are applied prior to categorization.
categorization_field_name
(string) If this property is specified, the values of the specified field will be categorized. The resulting categories must be used in a detector by setting by_field_name, over_field_name, or partition_field_name to the keyword mlcategory. For more information, see Categorizing log messages.
categorization_filters
(array of strings) If categorization_field_name is specified, you can also define optional filters. This property expects an array of regular expressions. The expressions are used to filter out matching sequences from the categorization field values. You can use this functionality to fine tune the categorization by excluding sequences from consideration when categories are defined. For example, you can exclude SQL statements that appear in your log files. For more information, see Categorizing log messages. This property cannot be used at the same time as categorization_analyzer. If you only want to define simple regular expression filters that are applied prior to tokenization, setting this property is the easiest method. If you also want to customize the tokenizer or post-tokenization filtering, use the categorization_analyzer property instead and include the filters as pattern_replace character filters. The effect is exactly the same.
detectors

(array) An array of detector configuration objects. Detector configuration objects specify which data fields a job analyzes. They also specify which analytical functions are used. You can specify multiple detectors for a job.

If the detectors array does not contain at least one detector, no analysis can occur and an error is returned.

Properties of detectors
by_field_name
(string) The field used to split the data. In particular, this property is used for analyzing the splits with respect to their own history. It is used for finding unusual values in the context of the split.
custom_rules

(array) An array of custom rule objects, which enable you to customize the way detectors operate. For example, a rule may dictate to the detector conditions under which results should be skipped. For more examples, see Customizing detectors with custom rules.

Properties of custom_rules
actions

(array) The set of actions to be triggered when the rule applies. If more than one action is specified the effects of all actions are combined. The available actions include:

  • skip_result: The result will not be created. This is the default value. Unless you also specify skip_model_update, the model will be updated as usual with the corresponding series value.
  • skip_model_update: The value for that series will not be used to update the model. Unless you also specify skip_result, the results will be created as usual. This action is suitable when certain values are expected to be consistently anomalous and they affect the model in a way that negatively impacts the rest of the results.
conditions

(array) An optional array of numeric conditions when the rule applies. A rule must either have a non-empty scope or at least one condition. Multiple conditions are combined together with a logical AND. A condition has the following properties:

Properties of conditions
applies_to
(string) Specifies the result property to which the condition applies. The available options are actual, typical, diff_from_typical, time. If your detector uses lat_long, metric, rare, or freq_rare functions, you can only specify conditions that apply to time.
operator
(string) Specifies the condition operator. The available options are gt (greater than), gte (greater than or equals), lt (less than) and lte (less than or equals).
value
(double) The value that is compared against the applies_to field using the operator.
scope

(object) An optional scope of series where the rule applies. A rule must either have a non-empty scope or at least one condition. By default, the scope includes all series. Scoping is allowed for any of the fields that are also specified in by_field_name, over_field_name, or partition_field_name. To add a scope for a field, add the field name as a key in the scope object and set its value to an object with the following properties:

Properties of scope
filter_id
(string) The id of the filter to be used.
filter_type
(string) Either include (the rule applies for values in the filter) or exclude (the rule applies for values not in the filter). Defaults to include.
detector_description
(string) A description of the detector. For example, Low event rate.
detector_index

(integer) A unique identifier for the detector. This identifier is based on the order of the detectors in the analysis_config, starting at zero.

If you specify a value for this property, it is ignored.

exclude_frequent
(string) Contains one of the following values: all, none, by, or over. If set, frequent entities are excluded from influencing the anomaly results. Entities can be considered frequent over time or frequent in a population. If you are working with both over and by fields, then you can set exclude_frequent to all for both fields, or to by or over for those specific fields.
field_name

(string) The field that the detector uses in the function. If you use an event rate function such as count or rare, do not specify this field.

The field_name cannot contain double quotes or backslashes.

function
(string) The analysis function that is used. For example, count, rare, mean, min, max, and sum. For more information, see Function reference.
over_field_name
(string) The field used to split the data. In particular, this property is used for analyzing the splits with respect to the history of all splits. It is used for finding unusual values in the population of all splits. For more information, see Performing population analysis.
partition_field_name
(string) The field used to segment the analysis. When you use this property, you have completely independent baselines for each value of this field.
use_null
(boolean) Defines whether a new series is used as the null series when there is no value for the by or partition fields. The default value is false.
influencers
(array of strings) A comma separated list of influencer field names. Typically these can be the by, over, or partition fields that are used in the detector configuration. You might also want to use a field name that is not specifically named in a detector, but is available as part of the input data. When you use multiple detectors, the use of influencers is recommended as it aggregates results for each influencer entity.
latency

(time units) The size of the window in which to expect data that is out of time order. The default value is 0 (no latency). If you specify a non-zero value, it must be greater than or equal to one second. For more information about time units, see Time units.

Latency is only applicable when you send data by using the post data API.

multivariate_by_fields

(boolean) This functionality is reserved for internal use. It is not supported for use in customer environments and is not subject to the support SLA of official GA features.

If set to true, the analysis will automatically find correlations between metrics for a given by field value and report anomalies when those correlations cease to hold. For example, suppose CPU and memory usage on host A is usually highly correlated with the same metrics on host B. Perhaps this correlation occurs because they are running a load-balanced application. If you enable this property, then anomalies will be reported when, for example, CPU usage on host A is high and the value of CPU usage on host B is low. That is to say, you’ll see an anomaly when the CPU of host A is unusual given the CPU of host B.

To use the multivariate_by_fields property, you must also specify by_field_name in your detector.

summary_count_field_name

(string) If this property is specified, the data that is fed to the job is expected to be pre-summarized. This property value is the name of the field that contains the count of raw data points that have been summarized. The same summary_count_field_name applies to all detectors in the job.

The summary_count_field_name property cannot be used with the metric function.

analysis_limits

(Optional, object) Limits can be applied for the resources required to hold the mathematical models in memory. These limits are approximate and can be set per job. They do not control the memory used by other processes, for example the Elasticsearch Java processes.

Properties of analysis_limits
categorization_examples_limit

(long) The maximum number of examples stored per category in memory and in the results data store. The default value is 4. If you increase this value, more examples are available, however it requires that you have more storage available. If you set this value to 0, no examples are stored.

The categorization_examples_limit only applies to analysis that uses categorization. For more information, see Categorizing log messages.

model_memory_limit

(long or string) The approximate maximum amount of memory resources that are required for analytical processing. Once this limit is approached, data pruning becomes more aggressive. Upon exceeding this limit, new entities are not modeled. The default value for jobs created in version 6.1 and later is 1024mb. This value will need to be increased for jobs that are expected to analyze high cardinality fields, but the default is set to a relatively small size to ensure that high resource usage is a conscious decision. The default value for jobs created in versions earlier than 6.1 is 4096mb.

If you specify a number instead of a string, the units are assumed to be MiB. Specifying a string is recommended for clarity. If you specify a byte size unit of b or kb and the number does not equate to a discrete number of megabytes, it is rounded down to the closest MiB. The minimum valid value is 1 MiB. If you specify a value less than 1 MiB, an error occurs. For more information about supported byte size units, see Byte size units.

If your elasticsearch.yml file contains an xpack.ml.max_model_memory_limit setting, an error occurs when you try to create jobs that have model_memory_limit values greater than that setting. For more information, see Machine learning settings.

background_persist_interval

(Optional, time units) Advanced configuration option. The time between each periodic persistence of the model. The default value is a randomized value between 3 to 4 hours, which avoids all jobs persisting at exactly the same time. The smallest allowed value is 1 hour.

For very large models (several GB), persistence could take 10-20 minutes, so do not set the background_persist_interval value too low.

custom_settings
(Optional, object) Advanced configuration option. Contains custom meta data about the job. For example, it can contain custom URL information as shown in Adding custom URLs to machine learning results.
data_description

(Required, object) The data description defines the format of the input data when you send data to the job by using the post data API. Note that when configure a datafeed, these properties are automatically set. When data is received via the post data API, it is not stored in Elasticsearch. Only the results for anomaly detection are retained.

Properties of data_description
format
(string) Only JSON format is supported at this time.
time_field
(string) The name of the field that contains the timestamp. The default value is time.
time_format

(string) The time format, which can be epoch, epoch_ms, or a custom pattern. The default value is epoch, which refers to UNIX or Epoch time (the number of seconds since 1 Jan 1970). The value epoch_ms indicates that time is measured in milliseconds since the epoch. The epoch and epoch_ms time formats accept either integer or real values.

Custom patterns must conform to the Java DateTimeFormatter class. When you use date-time formatting patterns, it is recommended that you provide the full date, time and time zone. For example: yyyy-MM-dd'T'HH:mm:ssX. If the pattern that you specify is not sufficient to produce a complete timestamp, job creation fails.

daily_model_snapshot_retention_after_days
(Optional, long) Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies a period of time (in days) after which only the first snapshot per day is retained. This period is relative to the timestamp of the most recent snapshot for this job. Valid values range from 0 to model_snapshot_retention_days. For new jobs, the default value is 1. For jobs created before version 7.8.0, the default value matches model_snapshot_retention_days. For more information, refer to Model snapshots.
description
(Optional, string) A description of the job.
groups
(Optional, array of strings) A list of job groups. A job can belong to no groups or many.
model_plot_config

(Optional, object) This advanced configuration option stores model information along with the results. It provides a more detailed view into anomaly detection.

If you enable model plot it can add considerable overhead to the performance of the system; it is not feasible for jobs with many entities.

Model plot provides a simplified and indicative view of the model and its bounds. It does not display complex features such as multivariate correlations or multimodal data. As such, anomalies may occasionally be reported which cannot be seen in the model plot.

Model plot config can be configured when the job is created or updated later. It must be disabled if performance issues are experienced.

Properties of model_plot_config
enabled
(boolean) If true, enables calculation and storage of the model bounds for each entity that is being analyzed. By default, this is not enabled.
terms
[experimental] This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features. (string) Limits data collection to this comma separated list of partition or by field values. If terms are not specified or it is an empty string, no filtering is applied. For example, "CPU,NetworkIn,DiskWrites". Wildcards are not supported. Only the specified terms can be viewed when using the Single Metric Viewer.
model_snapshot_retention_days
(Optional, long) Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies the maximum period of time (in days) that snapshots are retained. This period is relative to the timestamp of the most recent snapshot for this job. The default value is 10, which means snapshots ten days older than the newest snapshot are deleted. For more information, refer to Model snapshots.
renormalization_window_days
(Optional, long) Advanced configuration option. The period over which adjustments to the score are applied, as new data is seen. The default value is the longer of 30 days or 100 bucket_spans.
results_index_name
(Optional, string) A text string that affects the name of the machine learning results index. The default value is shared, which generates an index named .ml-anomalies-shared.
results_retention_days
(Optional, long) Advanced configuration option. The period of time (in days) that results are retained. Age is calculated relative to the timestamp of the latest bucket result. If this property has a non-null value, once per day at 00:30 (server time), results that are the specified number of days older than the latest bucket result are deleted from Elasticsearch. The default value is null, which means all results are retained.

Examplesedit

PUT _ml/anomaly_detectors/total-requests
{
  "description" : "Total sum of requests",
  "analysis_config" : {
    "bucket_span":"10m",
    "detectors": [
      {
        "detector_description": "Sum of total",
        "function": "sum",
        "field_name": "total"
      }
    ]
  },
  "data_description" : {
    "time_field":"timestamp",
    "time_format": "epoch_ms"
  }
}

When the job is created, you receive the following results:

{
  "job_id" : "total-requests",
  "job_type" : "anomaly_detector",
  "job_version" : "8.0.0",
  "description" : "Total sum of requests",
  "create_time" : 1562352500629,
  "analysis_config" : {
    "bucket_span" : "10m",
    "detectors" : [
      {
        "detector_description" : "Sum of total",
        "function" : "sum",
        "field_name" : "total",
        "detector_index" : 0
      }
    ],
    "influencers" : [ ]
  },
  "analysis_limits" : {
    "model_memory_limit" : "1024mb",
    "categorization_examples_limit" : 4
  },
  "data_description" : {
    "time_field" : "timestamp",
    "time_format" : "epoch_ms"
  },
  "model_snapshot_retention_days" : 10,
  "daily_model_snapshot_retention_after_days" : 1,
  "results_index_name" : "shared",
  "allow_lazy_open" : false
}