Get buckets API
editGet buckets API
editRetrieves anomaly detection job results for one or more buckets.
Request
editGET _ml/anomaly_detectors/<job_id>/results/buckets
GET _ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>
Prerequisites
editRequires the monitor_ml
cluster privilege. This privilege is included in the
machine_learning_user
built-in role.
Description
editThe get buckets API presents a chronological view of the records, grouped by bucket.
Path parameters
edit-
<job_id>
- (Required, string) Identifier for the anomaly detection job.
-
<timestamp>
- (Optional, string) The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.
Request body
edit-
anomaly_score
-
(Optional, double) Returns buckets with anomaly scores greater or equal than
this value. Defaults to
0.0
. -
desc
-
(Optional, Boolean) If true, the buckets are sorted in descending order.
Defaults to
false
. -
end
-
(Optional, string) Returns buckets with timestamps earlier than this time.
Defaults to
-1
, which means it is unset and results are not limited to specific timestamps. -
exclude_interim
-
(Optional, Boolean)
If
true
, the output excludes interim results. Defaults tofalse
, which means interim results are included. -
expand
-
(Optional, Boolean) If true, the output includes anomaly records. Defaults to
false
. -
page
.from
-
(Optional, integer) Skips the specified number of buckets. Defaults to
0
. -
page
.size
-
(Optional, integer) Specifies the maximum number of buckets to obtain. Defaults
to
100
. -
sort
-
(Optional, string) Specifies the sort field for the requested buckets. By
default, the buckets are sorted by the
timestamp
field. -
start
-
(Optional, string) Returns buckets with timestamps after this time. Defaults to
-1
, which means it is unset and results are not limited to specific timestamps.
Response body
editThe API returns an array of bucket objects, which have the following properties:
-
anomaly_score
- (number) The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.
-
bucket_influencers
-
(array) An array of bucket influencer objects.
Properties of
bucket_influencers
-
anomaly_score
- (number) A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.
-
bucket_span
-
(number)
The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
initial_anomaly_score
- (number) The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.
-
influencer_field_name
- (string) The field name of the influencer.
-
influencer_field_value
- (string) The field value of the influencer.
-
is_interim
-
(Boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
probability
-
(number) The probability that the bucket has this behavior, in the range 0 to 1.
This value can be held to a high precision of over 300 decimal places, so the
anomaly_score
is provided as a human-readable and friendly interpretation of this. -
raw_anomaly_score
- (number) Internal.
-
result_type
-
(string) Internal. This value is always set to
bucket_influencer
. -
timestamp
- (date) The start time of the bucket for which these results were calculated.
-
-
bucket_span
-
(number)
The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
event_count
- (number) The number of input data records processed in this bucket.
-
initial_anomaly_score
-
(number) The maximum
anomaly_score
for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed. -
is_interim
-
(Boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
processing_time_ms
- (number) The amount of time, in milliseconds, that it took to analyze the bucket contents and calculate results.
-
result_type
-
(string) Internal. This value is always set to
bucket
. -
timestamp
-
(date) The start time of the bucket. This timestamp uniquely identifies the bucket.
Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.
Examples
editGET _ml/anomaly_detectors/low_request_rate/results/buckets { "anomaly_score": 80, "start": "1454530200001" }
In this example, the API returns a single result that matches the specified score and time constraints:
{ "count" : 1, "buckets" : [ { "job_id" : "low_request_rate", "timestamp" : 1578398400000, "anomaly_score" : 91.58505459594764, "bucket_span" : 3600, "initial_anomaly_score" : 91.58505459594764, "event_count" : 0, "is_interim" : false, "bucket_influencers" : [ { "job_id" : "low_request_rate", "result_type" : "bucket_influencer", "influencer_field_name" : "bucket_time", "initial_anomaly_score" : 91.58505459594764, "anomaly_score" : 91.58505459594764, "raw_anomaly_score" : 0.5758246639716365, "probability" : 1.7340849573442696E-4, "timestamp" : 1578398400000, "bucket_span" : 3600, "is_interim" : false } ], "processing_time_ms" : 0, "result_type" : "bucket" } ] }