Elasticsearch watcher to send Prediction data

Kathir_J · October 25, 2018, 12:55pm

Elasticsearch watcher to send prediction data.

In this above screenshot, I have the prediction value as 32192.
So, is it possible to alert the user (by using watcher) with the prediction value?

My watcher configuration is,

         {
              "range": {
                "anomaly_score": {
                  "gte": "30"
                }
              }
        }

Is it possible to include prediction value inside range?
Is it possible to include prediction value in slack text?
"text": "Machine Learning Results - Object cache size is going to exceed threshold limit.\n Anomalies:\n{{#ctx.payload.hits.hits}}score={{_source.anomaly_score}} at time={{_source.timestamp}}\n{{/ctx.payload.hits.hits}}"

If so, could you please let me know the syntax?

Thanks in advance.

spinscale · October 25, 2018, 1:04pm

Hey,

I am not sure what you are referring to with the first question. Something you could do is to put the anomaly score in the watch metadata like

"metadata" : { "score" : "30" }

and then do this in your query

"range": {  "anomaly_score": { "gte": "{{ctx.metadata.score}}" } }

and also refer to this in the slack message via {{ctx.metadata.score}}.

Your second assumption is correct, that this will return all the anomaly scors of the hits being returned.

Hope this helps!

--Alex

Kathir_J · October 25, 2018, 1:26pm

Alright. Thanks for that. It clarifies my few other questions.

My use case,

In the screenshot I provided, When prediction value goes beyond 32000, I want to alert users along with the prediction value and prediction date in the alert text.

In watcher, I configured the alert text as

"text": "Machine Learning Results - Object cache size is going to exceed threshold limit.\n Anomalies:\n{{#ctx.payload.hits.hits}}score={{_source.anomaly_score}} at time={{_source.timestamp}}\n{{/ctx.payload.hits.hits}}"

Alert should look something like,

As per prediction, Object cache size is going to be at <prediction value> on <future date>.

How do I include both <prediction value> and <future date>data in alert text.
Is there anything like {{ctx.payload.hits.hits.0.prediction}}?

richcollier · October 26, 2018, 4:08pm

For forecasts, you do NOT want to use anomaly_score as the thing you're reporting on. Instead, use forecast_prediction . Please reference this other thread:

system · November 23, 2018, 4:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch Watcher - convert the milliseconds-since-the-epoch value back into a string Elasticsearch elastic-stack-alerting	2	1081	November 22, 2018
Watcher alerts, customizing message from Kibana Ui Kibana elastic-stack-alerting	5	2585	August 24, 2018
Send all the aggregations as text with Watcher Elasticsearch elastic-stack-alerting	4	6260	February 6, 2017
Watcher Question Elasticsearch elastic-stack-alerting	2	410	May 25, 2020
Watcher alert on buckets data Elasticsearch elastic-stack-alerting	5	4225	November 22, 2017

Elasticsearch watcher to send Prediction data

Related topics