Hey, Im trying to create a job where anomalies are to be detected if the amount of data in an index falls to very low values. If low_count function is used, I can detect anomalies if the count of documents falls to very low values. Is low_sum similar to the low_count function? Can low_sum also be used for situations similar to this, since I'm getting different plots for same data? i.e, can low_Sum be used to find anomalies if input falls to low values?
For low_sum, I used a field EVENTHOUR, which denotes the hour at which we received the data. So, will the anomaly detection be similar for both low_sum and low_count?
There often can be several different ways to detect the evidence of the same situation. This is one of those cases.