Kibana 6 ML

Hi,

We have just upgraded to Kibana 6 and I wanted to try out ML plugin.

It would be ideal for me if I could export anomalies found to a csv file. Is this possible?
Also, is it possible to trigger ML job and return its results via script?

My use case:
We use a ruby script to transform and index information about orders. We wanted to use ML plugin to detect anomaly orders and to marked them as such.

Hi,

  1. ML writes anomalies in elasticsearch as JSON. There is no built-in functionality to convert them to CSV but you could probably write or use something that converts JSON to CSV. The APIs for retrieving the anomaly results are documented here.

  2. Yes, everything ML does can be also used programmatically via its REST API. You can find details in the docs and the API reference.

I hope this helps. Happy anomaly hunting!

Hi,

Thanks for the reply. I have a follow up question... When I do GET on Records resource I can't see an ID of a document that was classified as anomaly. Is retrieval of that information possible?

Hello Kornelia,

In our ML, data is analyzed in time buckets (of width equal to bucket_span). When looking at the results, they are also presented in the context of a time bucket. Depending on the specific configuration of the job that you've created, the anomaly records that you'll see will have information about what was unusual (and by how much). It won't show you the particular elasticsearch document that was the culprit, because it may not be just one - it could be many documents within that bucket_span.

If you desire to view the raw data that is relevant during that window of time, you can use the "custom URL" functionality to specify a destination (such as the discover tab of Kibana) where you can view the raw data during the time of the anomaly (and optionally filtered by the specific "influencer" that ML may have identified).

For additional information, the following blog may be of interest:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.