Email alerts from machine learning, bucket and record anomalies

ElasticLiver · May 7, 2020, 4:46pm

Hi, I have created a mail watch alert for machine learning and choose the lower Severity threshold for it

In the execution history of the watch I have several entries, but I dont get email alerts

I enter in the edit section of the watch an in the bucker_results the value of anomaly_score was 75, even when I choose the lower severity threshold as stated earlier, I have change the value to 3 and now I get alert mail

          "aggs": {
            "bucket_results": {
              "filter": {
                "range": {
                  "anomaly_score": {
                    "gte": 3
                  }
                }
              },

Questions:

¿the severity threshold chosed on the UI when creating the watch, doesn modify the anomaly score of bucket result, it will always will be greater than 75?

¿ only the bucket anomalies will trigger email alert, not the record anomalies?

richcollier · May 8, 2020, 11:40am

The UI which helps you create the Watch should obviously set the range correctly. If it doesn't, perhaps there is a bug in the version you are using (what version are you using?)

And yes, the default Watch that is created is only using bucket-level scoring (so the highest level of aggregated scores for the job). If you want record-level scoring, you have to create your own watch.

First consult: https://www.elastic.co/blog/machine-learning-anomaly-scoring-elasticsearch-how-it-works to understand the scoring completely and you can also reference a record-level watch example here: https://gist.github.com/richcollier/1c2b8161286bdca6c553859f28d3d66d

ElasticLiver · May 8, 2020, 8:15pm

Thanks Richcollier, the version is 7.5.1 on docker, in the severity threshold I choose warning and critical an both give this values, so maybe its a bug.....or maybe im looking in the wrong part of the json, this values are in the input

       "aggs": {
            "bucket_results": {
              "filter": {
                "range": {
                  "anomaly_score": {
                    "gte": 75
                  }
-------------
            "influencer_results": {
              "filter": {
                "range": {
                  "influencer_score": {
                    "gte": 3
                  }
-------------
            "record_results": {
              "filter": {
                "range": {
                  "record_score": {
                    "gte": 3
                  }
                }

richcollier · May 10, 2020, 5:35pm

Hey - Looks like there indeed was a bug there that's solved in v7.7 with the following PR: https://github.com/elastic/kibana/pull/58597

system · June 7, 2020, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.