Explain diff_from_typical meaning in custom rules


When configuring Machine Learning jobs in ES, you can customise your detectors by using custom_rules.

I'm wondering about the actual meaning of the applies_to value diff_from_typical. My main question is if diff_from_typical considers difference in an absolute way or not. I know then you can use lt or gt operators (among others) but let's image the following situation:

I have a custom rule for two jobs. The rule is the same but the cases scenarios are different. Let's say that the custom rule is:

"custom_rules": [{
        "actions": ["skip_model_update"],
        "conditions": [
            "applies_to": "diff_from_typical",
            "operator": "gt",
            "value": 2000

Case scenario A:

  • Typical value: 5000
  • Actual value: 2000
  • diff_from_typical: 5000 - 2000 = 3000

Case scenario B:

  • Typical value: 5000
  • Actual value: 8000
  • diff_from_typical: 5000 - 8000 = -3000

Will the aforementioned custom rule apply in both cases? I mean, using the absolute difference from typical? Or will it only work in the first case (case A)?

I assume that if it only works for the first case, I should write the "inverse" custom rule to manage both cases.

Thanks in advance!

Yes diff_from_typical means absolute difference, so it covers the difference on either side.