Anomaly Detection Categorization: Kibana Signs used for Severities(warning, minor, major, critical)

aviral_srivastava · April 22, 2022, 1:29pm

Hi,

I am using Elasticsearch 8.1.0 and kibana 8.1.0
I have created a Categorization job in kibana. As input, I have given the index field which contains the log messages.

After the job gets completed processing, I can see the Analysis results at the bottom in tabular format

I can see ml categories are divided into 4 types of severity: warning, minor, major and critical.
warning represented by grey dot
minor represented by yellow dot
major represented by orange dot
critical represented by red dot

But also somewhere plus sign appears. Why do they mean?

richcollier · April 22, 2022, 3:31pm

see: Interpreting multi-bucket impact anomalies using Elastic machine learning features | Elastic Blog

aviral_srivastava · April 25, 2022, 4:47pm

Thanks for the blog post.
It really helped.

In my case I have given the message field as an input to the anomaly detector job which only contains log messages. So ML has created 15 different categories out of it.

So, in the multi-bucket impact anomaly, do the anomalies in previous 11 buckets should belong to the same ml category? or they could be different ml category?

I have a ml category, which is marked with a cross. So does this mean there were ml categories which showed anomalous behaviour in the previous 11 buckets, not necessarily the same ml category?

Also, can we have a multi-bucket impact anomaly if in the previous 11 buckets some have anomalous behaviour while some do not?

richcollier · April 25, 2022, 6:41pm

A Multi-bucket anomaly means a particular entity (in your case ml_category) had an anomaly with respect to a longer timeframe (not a single bucket of time). It does not mean that other entities also had an anomaly. The purpose of a multi-bucket anomaly is to find that trend that looks over a longer period of time (a sliding window of 12 bucket_spans) rather than individual bucket_spans.

To explicitly answer your questions:

So, in the multi-bucket impact anomaly, do the anomalies in previous 11 buckets should belong to the same ml category? or they could be different ml category?

Yes, the same ml_category

I have a ml category, which is marked with a cross. So does this mean there were ml categories which showed anomalous behaviour in the previous 11 buckets, not necessarily the same ml category?

No.

aviral_srivastava · April 26, 2022, 5:59am

Thanks for the reply. It helped.

system · May 24, 2022, 6:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.