It is my first time working with Elasticsearch anomaly detection. I've read the concepts and create a sample index to test it. I've also created these job and datafeed by using kibana for the sample index:
{
"job_id": "account",
"description": "",
"groups": [],
"analysis_config": {
"bucket_span": "1m",
"detectors": [
{
"function": "high_mean",
"field_name": "credit"
}
],
"influencers": [],
"summary_count_field_name": "doc_count"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "single-metric-wizard"
},
"analysis_limits": {
"model_memory_limit": "11MB"
},
"model_plot_config": {
"enabled": true,
"annotations_enabled": true
}
}
{
"datafeed_id": "datafeed-account",
"job_id": "account",
"indices": [
"account"
],
"query": {
"bool": {
"must": [
{
"match_all": {}
}
]
}
},
"runtime_mappings": {},
"aggregations": {
"buckets": {
"date_histogram": {
"field": "timeStamp",
"interval": "6000ms"
},
"aggregations": {
"credit": {
"avg": {
"field": "credit"
}
},
"@timestamp": {
"max": {
"field": "timeStamp"
}
}
}
}
}
}
I need to index the anomalous documents in another index, so it must be possible to define something like action concept (e.g. alert, index, ...) in the job but I don't know how to define it.
How can I index the anomalous events in another index?