Results

Get Buckets

The get bucket API enables you to retrieve job results for one or more buckets.

Request

GET _xpack/ml/anomaly_detectors/<job_id>/results/buckets

GET _xpack/ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>

Description

This API presents a chronological view of the records, grouped by bucket.

Path Parameters

job_id
(string) Identifier for the job
timestamp
(string) The timestamp of a single bucket result. If you do not specify this optional parameter, the API returns information about all buckets.

Request Body

anomaly_score
(double) Returns buckets with anomaly scores higher than this value.
end
(string) Returns buckets with timestamps earlier than this time.
exclude_interim
(boolean) If true, the output excludes interim results. By default, interim results are included.
expand
(boolean) If true, the output includes anomaly records.
page
from
(integer) Skips the specified number of buckets.
size
(integer) Specifies the maximum number of buckets to obtain.
start
(string) Returns buckets with timestamps after this time.

Results

The API returns the following information:

buckets
(array) An array of bucket objects. For more information, see Buckets.

Authorization

You must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API. You also need read index privilege on the index that stores the results. The machine_learning_admin and machine_learning_user roles provide these privileges. For more information, see Security Privileges and Built-in Roles.

Examples

The following example gets bucket information for the it-ops-kpi job:

GET _xpack/ml/anomaly_detectors/it-ops-kpi/results/buckets
{
  "anomaly_score": 80,
  "start": "1454530200001"
}

In this example, the API returns a single result that matches the specified score and time constraints:

{
  "count": 1,
  "buckets": [
    {
      "job_id": "it-ops-kpi",
      "timestamp": 1454943900000,
      "anomaly_score": 94.1706,
      "bucket_span": 300,
      "initial_anomaly_score": 94.1706,
      "record_count": 1,
      "event_count": 153,
      "is_interim": false,
      "bucket_influencers": [
        {
          "job_id": "it-ops-kpi",
          "result_type": "bucket_influencer",
          "influencer_field_name": "bucket_time",
          "initial_anomaly_score": 94.1706,
          "anomaly_score": 94.1706,
          "raw_anomaly_score": 2.32119,
          "probability": 0.00000575042,
          "timestamp": 1454943900000,
          "bucket_span": 300,
          "sequence_num": 2,
          "is_interim": false
        }
      ],
      "processing_time_ms": 2,
      "partition_scores": [],
      "result_type": "bucket"
    }
  ]
}

Get Categories

The get categories API enables you to retrieve job results for one or more categories.

Request

GET _xpack/ml/anomaly_detectors/<job_id>/results/categories

GET _xpack/ml/anomaly_detectors/<job_id>/results/categories/<category_id>

Path Parameters

job_id
(string) Identifier for the job.
category_id
(string) Identifier for the category. If you do not specify this optional parameter, the API returns information about all categories in the job.

Request Body

page
from
(integer) Skips the specified number of categories.
size
(integer) Specifies the maximum number of categories to obtain.

Results

The API returns the following information:

categories
(array) An array of category objects. For more information, see Categories.

Authorization

You must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API. You also need read index privilege on the index that stores the results. The machine_learning_admin and machine_learning_user roles provide these privileges. For more information, see Security Privileges and Built-in Roles.

Examples

The following example gets information about one category for the it_ops_new_logs job:

GET _xpack/ml/anomaly_detectors/it_ops_new_logs/results/categories
{
  "page":{
    "size": 1
  }
}

In this example, the API returns the following information:

{
  "count": 11,
  "categories": [
    {
      "job_id": "it_ops_new_logs",
      "category_id": 1,
      "terms": "Actual Transaction Already Voided Reversed hostname dbserver.acme.com physicalhost esxserver1.acme.com vmhost app1.acme.com",
      "regex": ".*?Actual.+?Transaction.+?Already.+?Voided.+?Reversed.+?hostname.+?dbserver.acme.com.+?physicalhost.+?esxserver1.acme.com.+?vmhost.+?app1.acme.com.*",
      "max_matching_length": 137,
      "examples": [
        "Actual Transaction Already Voided / Reversed;hostname=dbserver.acme.com;physicalhost=esxserver1.acme.com;vmhost=app1.acme.com"
      ]
    }
  ]
}

Get Influencers

The get influencers API enables you to retrieve job results for one or more influencers.

Request

GET _xpack/ml/anomaly_detectors/<job_id>/results/influencers

Path Parameters

job_id
(string) Identifier for the job.

Request Body

desc
(boolean) If true, the results are sorted in descending order.
end
(string) Returns influencers with timestamps earlier than this time.
exclude_interim
(boolean) If true, the output excludes interim results. By default, interim results are included.
influencer_score
(double) Returns influencers with anomaly scores higher than this value.
page
from
(integer) Skips the specified number of influencers.
size
(integer) Specifies the maximum number of influencers to obtain.
sort
(string) Specifies the sort field for the requested influencers.
start
(string) Returns influencers with timestamps after this time.

Results

The API returns the following information:

influencers
(array) An array of influencer objects. For more information, see Influencers.

Authorization

You must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API. You also need read index privilege on the index that stores the results. The machine_learning_admin and machine_learning_user roles provide these privileges. For more information, see Security Privileges and Built-in Roles.

Examples

The following example gets influencer information for the it_ops_new_kpi job:

GET _xpack/ml/anomaly_detectors/it_ops_new_kpi/results/influencers
{
  "sort": "influencer_score",
  "desc": true
}

In this example, the API returns the following information, sorted based on the influencer score in descending order:

{
  "count": 28,
  "influencers": [
    {
      "job_id": "it_ops_new_kpi",
      "result_type": "influencer",
      "influencer_field_name": "kpi_indicator",
      "influencer_field_value": "online_purchases",
      "kpi_indicator": "online_purchases",
      "influencer_score": 94.1386,
      "initial_influencer_score": 94.1386,
      "probability": 0.000111612,
      "sequence_num": 2,
      "bucket_span": 600,
      "is_interim": false,
      "timestamp": 1454943600000
    },
  ...
  ]
}

Get Records

The get records API enables you to retrieve anomaly records for a job.

Request

GET _xpack/ml/anomaly_detectors/<job_id>/results/records

Path Parameters

job_id
(string) Identifier for the job.

Request Body

desc
(boolean) If true, the results are sorted in descending order.
end
(string) Returns records with timestamps earlier than this time.
exclude_interim
(boolean) If true, the output excludes interim results. By default, interim results are included.
page
from
(integer) Skips the specified number of records.
size
(integer) Specifies the maximum number of records to obtain.
record_score
(double) Returns records with anomaly scores higher than this value.
sort
(string) Specifies the sort field for the requested records. By default, the records are sorted by the anomaly_score value.
start
(string) Returns records with timestamps after this time.

Results

The API returns the following information:

records
(array) An array of record objects. For more information, see Records.

Authorization

You must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API. You also need read index privilege on the index that stores the results. The machine_learning_admin and machine_learning_user roles provide these privileges. For more information, see Security Privileges and Built-in Roles.

Examples

The following example gets record information for the it-ops-kpi job:

GET _xpack/ml/anomaly_detectors/it-ops-kpi/results/records
{
  "sort": "record_score",
  "desc": true,
  "start": "1454944100000"
}

In this example, the API returns twelve results for the specified time constraints:

{
  "count": 12,
  "records": [
    {
      "job_id": "it-ops-kpi",
      "result_type": "record",
      "probability": 0.00000332668,
      "record_score": 72.9929,
      "initial_record_score": 65.7923,
      "bucket_span": 300,
      "detector_index": 0,
      "sequence_num": 1,
      "is_interim": false,
      "timestamp": 1454944200000,
      "function": "low_sum",
      "function_description": "sum",
      "typical": [
        1806.48
      ],
      "actual": [
        288
      ],
      "field_name": "events_per_min"
    },
  ...
  ]
}