Kibana graph for anamoly detection

With some data loaded into ES using LS, is there a way to mention in Kibana a threshold and display an indicator it breaches the threshold. For example number of transaction in an hour across the system lets set to 200. When gets refreshed the dashboard, it should indicate in red or something when it goes beyond 200 in a time line graph or some visualization. So If we see for whole day some hours will be red or spikes and most will be green or lower lines. This will be useful for us to display capability of anamoly detection. We are still working to understand Prelert but this kind of detection in Kibana will help us to see in graphs.

Regards, Raj

It's not a feature at the moment, we have an open enhancement request you can track (and add your input on) here: https://github.com/elastic/kibana/issues/4482

You can do something like that in Timelion.

With moving average agg;

$thres=NUMBER,$act=.es(index=INDEX,metric=sum:value), $movavg=.es(index=INDEX,metric=sum:FIELD).mvavg(window=5), ($movavg).lines(10).color(lightgray).label("Moving Average"), ($act).color(#07a5de).label("Actual"), ($movavg).subtract($act).abs().if(lt,$thres,null,$act).points(5,3,0).color(#e9478b).label("Anomaly")

With holt winters;

$thres=NUMBER, $act=.es(index=INDEX,metric=sum:FIELD), $holt=.es(index=INDEX,metric=sum:FIELD).holt(0.9,0.1,0.9,24h ),($holt).lines(10).color(lightgray).label("HoltWinters"),($act).color(#07a5de).label("Actual"), ($holt).subtract($act).abs().if(lt,$thres,null,$act).points(5,3,0).color(#e9478b).label("Anomaly")

(You'll need to change THRESHOLD, INDEX and FIELD to suit your data)

These can be misleading though. We've found that both of the above generate multiple false positives compared to ML, see the image below:

Thanks will try this

Thanks for the reply will do a +1 on the enhancement

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.