How to index anomalous documents in another index?

Ilia · January 26, 2022, 1:58pm

It is my first time working with Elasticsearch anomaly detection. I've read the concepts and create a sample index to test it. I've also created these job and datafeed by using kibana for the sample index:

{
  "job_id": "account",
  "description": "",
  "groups": [],
  "analysis_config": {
    "bucket_span": "1m",
    "detectors": [
      {
        "function": "high_mean",
        "field_name": "credit"
      }
    ],
    "influencers": [],
    "summary_count_field_name": "doc_count"
  },
  "data_description": {
    "time_field": "@timestamp"
  },
  "custom_settings": {
    "created_by": "single-metric-wizard"
  },
  "analysis_limits": {
    "model_memory_limit": "11MB"
  },
  "model_plot_config": {
    "enabled": true,
    "annotations_enabled": true
  }
}

{
  "datafeed_id": "datafeed-account",
  "job_id": "account",
  "indices": [
    "account"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ]
    }
  },
  "runtime_mappings": {},
  "aggregations": {
    "buckets": {
      "date_histogram": {
        "field": "timeStamp",
        "interval": "6000ms"
      },
      "aggregations": {
        "credit": {
          "avg": {
            "field": "credit"
          }
        },
        "@timestamp": {
          "max": {
            "field": "timeStamp"
          }
        }
      }
    }
  }
}

I need to index the anomalous documents in another index, so it must be possible to define something like action concept (e.g. alert, index, ...) in the job but I don't know how to define it.
How can I index the anomalous events in another index?

richcollier · January 26, 2022, 6:48pm

Anomaly Detection jobs create results into a new index already (and are named .ml-anomalies-*). Using the Machine Learning UI in Kibana will read the results from these indices and show them to you but obviously, you're also able to manually query those indices for other purposes (alerting, etc.)

If you want to learn the basics of Elastic ML, download an e-copy of this book:
https://events.elastic.co/machinelearningwithelastic

and/or watch the webinar: “Machine Learning with the Elastic Stack” book preview - Part 1: Anomaly Detection | Elastic Videos

Ilia · January 30, 2022, 10:11am

Thank you Rich,
It's also looks like possible to send results to dedicated indices.

system · February 27, 2022, 10:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Anomaly Detection Job Results Index Kibana	3	23	August 28, 2024
Filtering Index or custom rules for Elastic ML anomaly detection Elasticsearch elastic-stack-machine-learning	6	1417	July 9, 2021
Detection result in new Index Elastic Security detection-rules	6	568	May 21, 2021
What is the ".ml-anomalies" and the ".ml-anomalies-shared"? Kibana elastic-stack-machine-learning	5	1993	September 27, 2019
Conflicting data between Index Dashboard and ML anomaly detection job Kibana elastic-stack-machine-learning	7	484	February 16, 2021

How to index anomalous documents in another index?

Related topics