Apologies for the delay in replying @zerojin63. The error you are seeing when trying to use the field in an ML job looks like it is being caused by the datafeed preview step which validates the job configuration taking too long. The fact that the field shows up in Discover would imply that the configuration of the field is ok.
What version of the stack do you have, and which of the anomaly detection job wizards are you using? If you use the advanced job wizard, add the detector using the runtime field, then hit 'Edit JSON' and take a look in the datafeeed preview panel. Do you see values for your runtime field in there, like I see here:
You could also create the job directly in Kibana Dev Tools, and try running the datafeed preview from there. For example, with my config:
PUT _ml/anomaly_detectors/test1
{
"analysis_config": {
"bucket_span": "4h",
"detectors": [
{
"function": "sum",
"field_name": "bytes",
"partition_field_name": "uri_first_path",
"detector_description": "sum(bytes) partitionfield=uri_first_path"
}
],
"influencers": [
"uri_first_path"
]
},
"data_description": {
"time_field":"@timestamp"
},
"datafeed_config":{
"datafeed_id": "datafeed-test1",
"indices": ["gallery-*"],
"runtime_mappings": {
"uri_first_path": {
"type": "keyword",
"script": {
"source": """def m = /^\/(\w+|_)\//.matcher(doc['uri'].value); emit(m.find() ? m.group(1): '');"""
}
}
}
}
}
GET _ml/datafeeds/datafeed-test1/_preview