WARNING: Version 5.6 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
By completing this tutorial, you’ve learned how you can detect anomalous behavior in a simple set of sample data. You created single and multi-metric jobs in Kibana, which creates and opens jobs and creates and starts datafeeds for you under the covers. You examined the results of the machine learning analysis in the Single Metric Viewer and Anomaly Explorer in Kibana.
If you want to learn about advanced job options, you might be interested in the following video tutorial: Machine Learning Lab 3 - Detect Outliers in a Population.
If you intend to use machine learning APIs in your applications, a good next step might be to learn about the APIs by retrieving information about these sample jobs. For example, the following APIs retrieve information about the jobs and datafeeds.
GET _xpack/ml/anomaly_detectors GET _xpack/ml/datafeeds
For more information about the machine learning APIs, see API Quick Reference.
Ultimately, the next step is to start applying machine learning to your own data. As mentioned in Identifying Data for Analysis, there are three things to consider when you’re thinking about where machine learning will be most impactful:
- It must be time series data.
- It should be information that contains key performance indicators for the health, security, or success of your business or system. The better you know the data, the quicker you will be able to create jobs that generate useful insights.
- Ideally, the data is located in Elasticsearch and you can therefore create a datafeed that retrieves data in real time. If your data is outside of Elasticsearch, you cannot use Kibana to create your jobs and you cannot use datafeeds. Machine learning analysis is still possible, however, by using APIs to create and manage jobs and to post data to them.
Once you have decided which data to analyze, you can start considering which analysis functions you want to use. For more information, see Function Reference.
In general, it is a good idea to start with single metric jobs for your key performance indicators. After you examine these simple analysis results, you will have a better idea of what the influencers might be. You can create multi-metric jobs and split the data or create more complex analysis functions as necessary.