Anomaly Detection Using Advanced Configuration

Hi team,

I am using ELK platinum version. Few days back i created a ML job which detect max value for a particular string field value

Here i can see cross symbol and dot cross symbol denote multi bucket i don't what it is depicting in ML graph. What is multi-bucket impact ? please explain me i want to know i read many blogs and docs and forum

second is there are some annotations on the graph which represent trends or snapshot restored
Third is am i doing this right ? i have two fields numerical field and string field i have to apply max function ? i don't is it right or wrong please share your views

Job config

"analysis_config": {
    "bucket_span": "15m",
    "detectors": [
        "detector_description": "max(test) by \"verb.keyword\"",
        "function": "max",
        "field_name": "test",
        "by_field_name": "verb.keyword",
        "detector_index": 0
    "influencers": [

@richcollier can you please help me out.

Blog to help understand what multi-bucket anomalies are: Interpreting multi-bucket impact anomalies using Elastic machine learning features | Elastic Blog

To answer your question "am I doing this right?" I would need to know what your data looks like (example document) and what the use case is (i.e. explain in a sentence what you're trying to detect).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.