Our goal is similar to discussed in this thread Machine learning - host stopped sending logs or events - we're trying to send alerts when certain hosts or components stopped to send data or we have anomaly in data volume.
There are about 5 indices, with about 30 log types, tens of hosts.
We created multi-count job, using "type" as partition_field_name. But what about per-host issues? Should we use "host" field as influencer or we can use "host" as a "sub-partion"?
Thank you,
Vitaly
Vitaly,
You could consider making an Advanced Job - with a config like:
function: low_count
by_field_name: type
partition_field_name: host
This will effectively give you a double-split - "for every host, look at the low count of data per type"
If you add the host name to a "tags" field then you can do an advanced job and just set the datafeed to query for that tag so that each job will essentially be a partition.
Rich,
I'll totally understand if your answer will be "RTFM", but I'll ask anyway
The multi-metric job cannot do a by_field_name and a partition_field_name. It only does partition_field_name. A choice of an influencer does not affect the statistical modeling (i.e. won't split the modeling) - possible influencers are determined after the anomaly is determined.
A count job is equivalent to low_count and high_count within the same job. You'd pick low_count if you were ONLY interested in a drop in events.
thank you * 2!
Vitaly
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.