Aletring based on anomaly duration

richcollier · May 25, 2022, 5:36pm

Thanks for your information, but now I think your requirements have opened up more additional questions:

If your job has 15m bucket_span and if you run your Watch once per day, then there are 96 bucket_spans per day. So, what if there are multiple anomalous intervals that are 3 or more consecutive buckets for an entity? For example, entity EV3 was anomalous for an hour from 9:00-10:00, for 45 minutes from 12:00-12:45, and for one hour and fifteen minutes from 22:00-23:15. Are these 3 separate alerts or do you just want to know that EV3 was anomalous today?
Does it matter if during a 3 or more consecutive buckets duration, the anomaly score is drastically different? For example, if EV3 was anomalous for 45 minutes from 12:00-12:45 but the anomaly scores were 90, 30, and 85 - this would be 3 consecutive buckets, but one of the buckets is below your threshold of 40. Would this be an alert in your book?

Topic		Replies	Views
Watcher Alerting on multi-bucket anomaly? Kibana elastic-stack-machine-learning , elastic-stack-alerting	2	518	December 28, 2020
Watcher not triggering alerts Elasticsearch elastic-stack-machine-learning	2	525	May 16, 2020
Send an email alert after 3 major/critical anomalies for a given time range Elasticsearch elastic-stack-machine-learning	3	473	August 12, 2019
Machine Learning module is triggering alerts when there is no anomaly Elasticsearch elastic-stack-machine-learning	27	2941	July 1, 2019
ML watcher configs Elasticsearch elastic-stack-machine-learning	4	639	November 23, 2020