Looking at a use case where there is a Open and Close event. The Event shares the same ID, so the Close is a document update to the original Open document in ES.
Is there a function in the ML engine to detect when the duration of the Event remains Open for a unusual duration? In this context it would mean that the Close event has never been received.
ML doesn't really inherently handle this use case because the "duration" is undefined in the case where the Close event has never been received. Obviously, ML currently needs to see the values of things over time. There's no function that currently exists that accomplishes what you want.
However, you might be able to re-orient the data. Maybe there's a way to use a bucket script aggregation to, on the fly, calculate the delta in the Open/Close events in some routine bucket interval (see the requirements for using aggs for ML). And then analyze those values calculated by the aggregation with one of the standard functions in ML.
I'm not sure if you have a sensible way to segment the transactions (by type or by entity) and if the cardinality of that segmentation is reasonable enough to do this on-the-fly calculations.
Perhaps more info on your use case would be helpful.
Good points. Its like a function needs to exist that re-evals docs from a certain threshold looking in the past.
How to calculate delta value might give you part of what you want.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.