Abnormal behavior of anomaly detection found - Elastic ML Stack

Elastic Stack Elasticsearch
1

Hi

I have created a multi metric Anomaly Detection Job with High Mean Response Time as detector, bucket span was 4h and Training data was for 1year.

Picture1

After a certain span the Upper Bound of the model has increased abruptly. Refer to the screenshot attached below:

Picture2

Can you help me to understand why this abrupt increase of upper bound happened?

In the second row in the anomalies table (refer to the attached screenshot below) where Severity is 85 and it is having a high multi bucket effect there the typical value is abnormally high from the actual value. I observed that, this is happening for all the anomaly points which is having multi bucket effect, but the anomaly points without multi bucket effect is not showing any abnormal value. But in my data, I don’t have such abnormal value, the Maximum Response Time = 400 and Minimum Response Time = 0 in my time series.

Picture3

It will be helpful if you can help me to understand why this typical value is so high? What do this Multi Bucket effect signifies? Does this Multi Bucket Effect has any correlation with the abnormally high typical value?

I would also like to know what is the difference between “High Mean Response Time” and “Mean Response Time” in the detector field of the anomaly job?

2

To be clear - you're not looking at the model but the actual data. The data's behavior changed abruptly on or around April 30th. You should inspect what the text of Annotation #1 is telling you.

It will be helpful if you can help me to understand why this typical value is so high?

The typical value is high in the second anomaly in the table because that is long after the data's behavior changed abruptly on or around April 30th.

Does this Multi Bucket Effect has any correlation with the abnormally high typical value?

Not in this case, but you should understand what a Multi-bucket anomaly is: Interpreting multi-bucket impact anomalies using Elastic machine learning features | Elastic Blog

I would also like to know what is the difference between “High Mean Response Time” and “Mean Response Time” in the detector field of the anomaly job?

The high_mean detector function only flags anomalies on the "high side" (i.e. spikes) of the mean of a field value. mean will do both (spikes and dips). If you have a multi-bucket anomaly, however, that can show up regardless of the use of a "one-sided" detector function. This is explained in the above blog.