ML Anomaly Job with exclude_frequent option

marmai16 · November 27, 2023, 12:28pm

Hello everyone,

i was reading through the docs and became curious

Say i create two detectors.
One detector is high_sum(a) over b
The other detector is high_sum(a) by c.

Now, if i define exclude_frequent = over for the first detector, then it will exclude frequently occurring values in b from triggering anomalies completely?

Consequently, it would make no sense to define exclude_frequent = over with the second detector high_sum(a) by c since over_field is empty?
Thus in case of high_sum(a) by c we would need to set exclude_frequent = by to make it exclude frequent values in c from triggering anomalies?

Am i understanding this correctly?

richcollier · November 30, 2023, 2:53pm

First and foremost, you should probably understand the major differences in using the over field versus using a split field like by or partition. Using the over field results in a population analysis (comparing entities against the population) which is much different than the normal temporal analysis (comparing an entity against its own history).

See: Temporal vs. Population Analysis in Elastic Machine Learning | Elastic Blog

Secondly, the use of exclude_frequent predated the creation of Filters in Custom Rules, which give you more flexibility and control on what gets excluded.

Topic		Replies	Views
Ml detector with exclude frequent enabled Elasticsearch elastic-stack-machine-learning	6	1273	August 13, 2020
Machine learning options Elasticsearch elastic-stack-machine-learning	2	816	November 27, 2020
ML: difference between partition_field_name and by_field_name in a population job? Elasticsearch elastic-stack-machine-learning	9	1756	December 7, 2021
Advanced Configuration Machine Learning Kibana elastic-stack-machine-learning	9	619	October 28, 2022
Will influencer change the way a model might detect and anomaly? Elasticsearch elastic-stack-machine-learning	4	531	April 3, 2023

ML Anomaly Job with exclude_frequent option

Related topics