I am attempting to create a ML job to detect rare source IPs. Using the Anomaly Detection wizard, I selected Categorization, then picked Rare and picked the source.address for Categorization field. However, I get the following error:
Selected category field is invalid
1000 field values analyzed, 0% contain 3 or more tokens.
Can someone explain to me what type of ML job I should use to accomplish this?
Categorization is used to process unstructured text, not to deal with fields like IP addresses. You can just apply rare to the IP address by setting the IP address as the by_field. See this older article for examples.
Also, see this other idea about only analyzing the first octet of IP addresses
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.