Why are results missing?edit
The default settings in Graph API requests are configured to tune out noisy results by using the following strategies:
- Only looking at samples of the most-relevant documents for a query
- Only considering terms that have a significant statistical correlation with the sample
- Only considering terms to be paired that have at least 3 documents asserting that connection
These are useful defaults for getting the "big picture" signals from noisy data, but they can miss details from individual documents. If you need to perform a detailed forensic analysis, you can adjust the following settings to ensure a graph exploration produces all of the relevant data:
sample_sizeto a larger number of documents to analyze more data on each shard.
falseto retrieve terms regardless of any statistical correlation with the sample.
min_doc_countfor your vertices to 1 to ensure only one document is required to assert a relationship.
What can I do to improve performance?edit
With the default setting of
use_significance set to
true, the Graph API
performs a background frequency check of the terms it discovers as part of
exploration. Each unique term has to have its frequency looked up in the index,
which costs at least one disk seek. Disk seeks are expensive. If you don’t need
to perform this noise-filtering, setting
eliminates all of these expensive checks (at the expense of not performing any
quality-filtering on the terms).
If your data is noisy and you need to filter based on significance, you can reduce the number of frequency checks by:
sample_size. Considering fewer documents can actually be better when the quality of matches is quite variable.
- Avoiding noisy documents that have a large number of terms. You can do this by either allowing ranking to naturally favor shorter documents in the top-results sample (see enabling norms) or by explicitly excluding large documents with your seed and guiding queries.
- Increasing the frequency threshold. Many many terms occur very infrequently so even increasing the frequency threshold by one can massively reduce the number of candidate terms whose background frequencies are checked.
Keep in mind that all of these options reduce the scope of information analyzed and can increase the potential to miss what could be interesting details. However, the information that’s lost tends to be associated with lower-quality documents with lower-frequency terms, which can be an acceptable trade-off.
Limited support for multiple indicesedit
The graph API can explore multiple indices, types, or aliases in a single API request, but the assumption is that each "hop" it performs is querying the same set of indices. Currently, it is not possible to take a term found in a field from one index and use that value to explore connections in a different field held in another type or index.
A good example of where this might be useful is if an IP address is
found in the
remote_host field of an index called "weblogs20160101",
you might want to follow that up by looking for the same address in
ip_address field of an index called "knownthreats".
Supporting this behavior would require extra mappings to indicate that
remote_host field contained values that had currency and
meaning in the
ip_address field of the threats index.
Since we do not currently support this translation, you would have to perform multiple calls to take the values from the weblogs index response and build them into a separate request to the threats index.
Intro to Kibana
ELK for Logs & Metrics