Machine Learning - Single Metric Job - Empty 'Field' combobox

kmaci3k · August 10, 2017, 11:20am

Hi,
I'm trying to set up a single metric machine learning job but after selecting 'index' and 'Aggregation' the 'Field' combobox is just empty.
Here is my json:

{
"_index": "metrics-2017.08.10",
"_type": "log",
"_id": "AV3LzmOOYz7FmQ9AaTkm",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2017-08-10T11:01:26.846Z",
"metric": {
"mean_rate": "0.2010489723383618",
"m1": "2.1173417191770407",
"max": "1687.074818",
"count": "1199",
"m5": "1.826075044153773",
"rate_unit": "events/second",
"type": "TIMER",
"p95": "4.488348",
"duration_unit": "milliseconds",
"p98": "5.715514",
"p75": "2.781478",
"m15": "0.9928718861650215",
"p99": "12.113707",
"min": "0.535673",
"median": "1.991261",
"mean": "2.3103161846115925",
"name": "com.codahale.metrics.servlet.InstrumentedFilter.requests",
"p999": "18.361678",
"stddev": "2.993733835792281"
},
"host": "18e27f7d0ef6",
"source": "/var/log/metrics/log-generator-metrics.log",
"fields": {
"file_type": "metrics"
},
"type": "log",
"tags": [
"beats_input_codec_plain_applied"
]
},
"fields": {
"@timestamp": [
1502362886846
]
},
"highlight": {
"metric.name": [
"@kibana-highlighted-field@com.codahale.metrics.servlet.InstrumentedFilter.requests@/kibana-highlighted-field@"
]
},
"sort": [
1502362886846
]
}

Let's say that I would like to detect anomalies in metric.m1. Is there something wrong with my sample data ?

droberts195 · August 10, 2017, 1:18pm

I suspect the problem is that all your fields are strings. The "field" dropdown only lists numeric fields.

I think all features of Elasticsearch and Kibana would work better if you stored your metrics in numeric fields. Not just ML, but range queries, aggregations and charting.

If you cannot reindex the data with more appropriate data types, ML could probably analyze it if you create an advanced job in the UI or use the Elasticsearch REST API directly to create the job. Then you have full control over the JSON that defines the job, and you can put "function" : "metric", "field_name" : "metric.m1" in the appropriate detector definition.

richcollier · August 10, 2017, 5:12pm

The "Field" combo box will be empty, by the way, if you pick one of the count-based aggregation functions (count, low_count, high_count).

Since your data looks like it is metric-based, make sure you choose an aggregation function like min, max, or mean.

kmaci3k · August 10, 2017, 6:46pm

You are right. Thanks for help

system · September 7, 2017, 6:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.