Get anomaly records for an anomaly detection job Added in 5.4.0

GET /_ml/anomaly_detectors/{job_id}/results/records

Records contain the detailed analytical results. They describe the anomalous activity that has been identified in the input data based on the detector configuration. There can be many anomaly records depending on the characteristics and size of the input data. In practice, there are often too many to be able to manually process them. The machine learning features therefore perform a sophisticated aggregation of the anomaly records into buckets. The number of record results depends on the number of anomalies found in each bucket, which relates to the number of time series being modeled and the number of detectors.

Path parameters

  • job_id string Required

    Identifier for the anomaly detection job.

Query parameters

  • desc boolean

    If true, the results are sorted in descending order.

  • end string | number

    Returns records with timestamps earlier than this time. The default value means results are not limited to specific timestamps.

  • If true, the output excludes interim results.

  • from number

    Skips the specified number of records.

  • Returns records with anomaly scores greater or equal than this value.

  • size number

    Specifies the maximum number of records to obtain.

  • sort string

    Specifies the sort field for the requested records.

  • start string | number

    Returns records with timestamps after this time. The default value means results are not limited to specific timestamps.

application/json

Body

  • desc boolean

    Refer to the description for the desc query parameter.

  • end string | number

    A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

  • Refer to the description for the exclude_interim query parameter.

  • page object

    Additional properties are allowed.

    Hide page attributes Show page attributes object
    • from number

      Skips the specified number of items.

    • size number

      Specifies the maximum number of items to obtain.

  • Refer to the description for the record_score query parameter.

  • sort string

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • start string | number

    A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • count number Required
    • records array[object] Required
      Hide records attributes Show records attributes object
      • actual array[number]

        The actual value for the bucket.

      • Additional properties are allowed.

        Hide anomaly_score_explanation attributes Show anomaly_score_explanation attributes object
      • Time unit for seconds

      • The field used to split the data. In particular, this property is used for analyzing the splits with respect to their own history. It is used for finding unusual values in the context of the split.

      • The value of by_field_name.

      • causes array[object]

        For population analysis, an over field must be specified in the detector. This property contains an array of anomaly records that are the causes for the anomaly that has been identified for the over field. This sub-resource contains the most anomalous records for the over_field_name. For scalability reasons, a maximum of the 10 most significant causes of the anomaly are returned. As part of the core analytical modeling, these low-level anomaly records are aggregated for their parent over field record. The causes resource contains similar elements to the record resource, namely actual, typical, geo_results.actual_point, geo_results.typical_point, *_field_name and *_field_value. Probability and scores are not applicable to causes.

        Hide causes attributes Show causes attributes object
      • detector_index number Required

        A unique identifier for the detector.

      • Certain functions require a field to operate on, for example, sum(). For those functions, this value is the name of the field to be analyzed.

      • function string

        The function in which the anomaly occurs, as specified in the detector configuration. For example, max.

      • The description of the function in which the anomaly occurs, as specified in the detector configuration.

      • Additional properties are allowed.

        Hide geo_results attributes Show geo_results attributes object
        • actual_point string Required

          The actual value for the bucket formatted as a geo_point.

        • typical_point string Required

          The typical value for the bucket formatted as a geo_point.

      • influencers array[object]

        If influencers were specified in the detector configuration, this array contains influencers that contributed to or were to blame for an anomaly.

        Hide influencers attributes Show influencers attributes object
      • initial_record_score number Required

        A normalized score between 0-100, which is based on the probability of the anomalousness of this record. This is the initial value that was calculated at the time the bucket was processed.

      • is_interim boolean Required

        If true, this is an interim result. In other words, the results are calculated based on partial input data.

      • job_id string Required

        Identifier for the anomaly detection job.

      • The field used to split the data. In particular, this property is used for analyzing the splits with respect to the history of all splits. It is used for finding unusual values in the population of all splits.

      • The value of over_field_name.

      • The field used to segment the analysis. When you use this property, you have completely independent baselines for each value of this field.

      • The value of partition_field_name.

      • probability number Required

        The probability of the individual anomaly occurring, in the range 0 to 1. For example, 0.0000772031. This value can be held to a high precision of over 300 decimal places, so the record_score is provided as a human-readable and friendly interpretation of this.

      • record_score number Required

        A normalized score between 0-100, which is based on the probability of the anomalousness of this record. Unlike initial_record_score, this value will be updated by a re-normalization process as new data is analyzed.

      • result_type string Required

        Internal. This is always set to record.

      • Time unit for milliseconds

      • typical array[number]

        The typical value for the bucket, according to analytical modeling.

GET /_ml/anomaly_detectors/{job_id}/results/records
curl \
 -X GET http://api.example.com/_ml/anomaly_detectors/{job_id}/results/records \
 -H "Content-Type: application/json" \
 -d '{"desc":true,"":"string","exclude_interim":true,"page":{"from":42.0,"size":42.0},"record_score":42.0,"sort":"string"}'
Request examples
{
  "desc": true,
  "": "string",
  "exclude_interim": true,
  "page": {
    "from": 42.0,
    "size": 42.0
  },
  "record_score": 42.0,
  "sort": "string"
}
Response examples (200)
{
  "count": 42.0,
  "records": [
    {
      "actual": [
        42.0
      ],
      "anomaly_score_explanation": {
        "anomaly_characteristics_impact": 42.0,
        "anomaly_length": 42.0,
        "anomaly_type": "string",
        "high_variance_penalty": true,
        "incomplete_bucket_penalty": true,
        "lower_confidence_bound": 42.0,
        "multi_bucket_impact": 42.0,
        "single_bucket_impact": 42.0,
        "typical_value": 42.0,
        "upper_confidence_bound": 42.0
      },
      "": 42.0,
      "by_field_name": "string",
      "by_field_value": "string",
      "causes": [
        {
          "actual": [
            42.0
          ],
          "by_field_name": "string",
          "by_field_value": "string",
          "correlated_by_field_value": "string",
          "field_name": "string",
          "function": "string",
          "function_description": "string",
          "influencers": [
            {}
          ],
          "over_field_name": "string",
          "over_field_value": "string",
          "partition_field_name": "string",
          "partition_field_value": "string",
          "probability": 42.0,
          "typical": [
            42.0
          ]
        }
      ],
      "detector_index": 42.0,
      "field_name": "string",
      "function": "string",
      "function_description": "string",
      "geo_results": {
        "actual_point": "string",
        "typical_point": "string"
      },
      "influencers": [
        {
          "influencer_field_name": "string",
          "influencer_field_values": [
            "string"
          ]
        }
      ],
      "initial_record_score": 42.0,
      "is_interim": true,
      "job_id": "string",
      "over_field_name": "string",
      "over_field_value": "string",
      "partition_field_name": "string",
      "partition_field_value": "string",
      "probability": 42.0,
      "record_score": 42.0,
      "result_type": "string",
      "typical": [
        42.0
      ]
    }
  ]
}