Hi,
in ML jobs functions are categorized in three groups; function itself, low function and high function. For example sum, low sum, high sum. ELK documents explain those functions as;
function itself detects anomalies in a bucket
low detects anomalies in a usual low bucket (when sth begins to increase)
high detects anomalies in a usual high bucket(when sth begins to decrease)
What is the point of using low or high instead of common anomaly detection function?
There are some situations where you don't care about the value moving in one direction, but care if it goes the other way. So for high_sum, you only care if the value is anomalously high. If it's anomalously low that's ok. For example, if your websites latency is normally 100ms, you may not care if it dips to 20ms, but you certainly care if it spikes to 1000ms. So a "high" function is what you're looking for.
Ditto for "low" functions, except the other direction.
The function itself is used if you care about any change in the value, going high or low. It's basically high + low together in one function.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.