Create an anomaly detection rule

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Required role

The Editor role or higher is required to create anomaly detection rules. To learn more, refer to Assign user roles and privileges.

Anomaly detection alerting is in beta

The Anomaly detection alerting functionality is in beta and is subject to change. The design and code is less mature than official generally available features and is being provided as-is with no warranties.

Create an anomaly detection rule to check for anomalies in one or more anomaly detection jobs. If the conditions of the rule are met, an alert is created, and any actions specified in the rule are triggered. For example, you can create a rule to check every fifteen minutes for critical anomalies and then alert you by email when they are detected.

To create an anomaly detection rule:

  1. In your Observability project, go to AIOpsAnomaly detection.
  2. In the list of anomaly detection jobs, find the job you want to check for anomalies. Haven’t created a job yet? Create one now.
  3. From the Actions menu next to the job, select Create alert rule.
  4. Specify a name and optional tags for the rule. You can use these tags later to filter alerts.
  5. Verify that the correct job is selected and configure the alert details:

    Anomaly detection alert settings
  6. For the result type:

    Choose…​ To generate an alert based on…​

    Bucket

    How unusual the anomaly was within the bucket of time

    Record

    What individual anomalies are present in a time range

    Influencer

    The most unusual entities in a time range

  7. Adjust the Severity to match the anomaly score that will trigger the action. The anomaly score indicates the significance of a given anomaly compared to previous anomalies. The default severity threshold is 75, which means every anomaly with an anomaly score of 75 or higher will trigger the associated action.
  8. (Optional) Turn on Include interim results to include results that are created by the anomaly detection job before a bucket is finalized. These results might disappear after the bucket is fully processed. Include interim results if you want to be notified earlier about a potential anomaly even if it might be a false positive.
  9. (Optional) Expand and change Advanced settings:

    Setting Description

    Lookback interval

    The interval used to query previous anomalies during each condition check. Setting the lookback interval lower than the default value might result in missed anomalies.

    Number of latest buckets

    The number of buckets to check to obtain the highest anomaly from all the anomalies that are found during the Lookback interval. An alert is created based on the anomaly with the highest anomaly score from the most anomalous bucket.

  10. (Optional) Under Check the rule condition with an interval, specify an interval, then click Test to check the rule condition with the interval specified. The button is grayed out if the datafeed is not started. To test the rule, start the data feed.
  11. (Optional) If you want to change how often the condition is evaluated, adjust the Check every setting.
  12. (Optional) Set up Actions.
  13. Save your rule.

Anomaly detection rules are defined as part of a job. Alerts generated by these rules do not appear on the Alerts page.

Add actions
edit

You can extend your rules with actions that interact with third-party systems, write to logs or indices, or send user notifications. You can add an action to a rule at any time. You can create rules without adding actions, and you can also define multiple actions for a single rule.

To add actions to rules, you must first create a connector for that service (for example, an email or external incident management system), which you can then use for different rules, each with their own action frequency.

Connector types

Connectors provide a central place to store connection information for services and integrations with third party systems. The following connectors are available when defining actions for alerting rules:

Some connector types are paid commercial features, while others are free. For a comparison of the Elastic subscription levels, go to the subscription page.

For more information on creating connectors, refer to Connectors.

Action frequency

After you select a connector, you must set the action frequency. You can choose to create a Summary of alerts on each check interval or on a custom interval. For example, you can send email notifications that summarize the new, ongoing, and recovered alerts every twelve hours.

Alternatively, you can set the action frequency to For each alert and specify the conditions each alert must meet for the action to run. For example, you can send an email only when alert status changes to critical.

Configure when a rule is triggered

With the Run when menu you can choose if an action runs when the the anomaly score matched the condition or was recovered. For example, you can add a corresponding action for each state to ensure you are alerted when the anomaly score was matched and also when it recovers.

Choose between anomaly score matched condition or recovered
Action variables

Use the default notification message or customize it. You can add more context to the message by clicking the Add variable icon Add variable and selecting from a list of available variables.

Action variables list

The following variables are specific to this rule type. You can also specify variables common to all rules.

context.anomalyExplorerUrl
URL to open in the Anomaly Explorer.
context.isInterim
Indicate if top hits contain interim results.
context.jobIds
List of job IDs that triggered the alert.
context.message
Alert info message.
context.score
Anomaly score at the time of the notification action.
context.timestamp
The bucket timestamp of the anomaly.
context.timestampIso8601
The bucket timestamp of the anomaly in ISO8601 format.
context.topInfluencers

The list of top influencers. Properties include:

influencer_field_name
The field name of the influencer.
influencer_field_value
The entity that influenced, contributed to, or was to blame for the anomaly.
score
The influencer score. A normalized score between 0-100 which shows the influencer’s overall contribution to the anomalies.
context.topRecords

The list of top records. Properties include:

actual
The actual value for the bucket.
by_field_value
The value of the by field.
field_name
Certain functions require a field to operate on, for example, sum(). For those functions, this value is the name of the field to be analyzed.
function
The function in which the anomaly occurs, as specified in the detector configuration. For example, max.
over_field_name
The field used to split the data.
partition_field_value
The field used to segment the analysis.
score
A normalized score between 0-100, which is based on the probability of the anomalousness of this record.
typical
The typical value for the bucket, according to analytical modeling.
Edit an anomaly detection rule
edit

To edit an anomaly detection rule:

  1. In your Observability project, go to AIOpsAnomaly detection.
  2. Expand the job that uses the rule you want to edit.
  3. On the Job settings tab, under Alert rules, click the rule to edit it.