Abnormal Datafeeding detected in Anomaly Detection Jobs

Souvik_Das · December 7, 2022, 10:32am

Hi Team,

There are a couple of machine learning jobs currently running in our ELK environment. With this, we have configured watcher alerts also, based on the record-level anomaly score. Since a few days back, we've been receiving false positive alerts.
After investigation, we found that, though there are data in the index checked from discover (540 hits) for that timeframe, the anomaly detection result window is showing actual 0. Please see below for reference --

Now, by further deep-diving, we found that datafeed is not able to pull data properly, see the screenshot below for reference --

Why datafeed is not able to pull these many documents?

FYI, current settings are as below --

query_delay - 240s
scroll_size - 1000

Also, let me know if you need any other information.

Regards,
Souvik

richcollier · December 14, 2022, 5:47pm

if this is an ongoing issue you have to either increase your query_delay so that you are not missing data or figure out why it takes so long (apparently longer than 2 minutes) for your data to be ingested and searchable (by the ML job)

system · January 11, 2023, 5:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Datafeed has been retrieving no data for a while Elasticsearch elastic-stack-machine-learning	3	335	December 22, 2023
Security Analytics Recipes Elasticsearch	6	1309	August 25, 2017
Elasticsearch datafeed has been retrieving no data for a while Elasticsearch elastic-stack-machine-learning	2	796	April 6, 2020
Anomaly detection job failing to pull any data in Elasticsearch	4	375	May 5, 2021
Machine Learning datafeed skipping documents that seem to be there Elasticsearch elastic-stack-machine-learning	14	4133	April 9, 2019

Abnormal Datafeeding detected in Anomaly Detection Jobs

Related topics