Hello
I would like to know what is the difference between “count”, “low count”, and “high count”.
I assume that “count” function includes the results from “low count”, "high count" and more ever. Please correct me if I’m wrong.
If it's true, can you please make an example or express some of results from "count" that are not from "low count" nor "high count"?
Thanks
Simply, the count detector function finds anomalous deviations in the rate of documents/events on both the "high side" and the "low side" (i.e. spikes and dips) - whereas the one-sided functions of low_count and high_count only find anomalies on the low side and the high side, respectively.
As an example, you might pick low_count as an appropriate detector to track online orders per unit time because you only might want to know if your orders are less than expected (as having orders be higher than expected is likely a "good" thing). Alternatively, if you're looking for DDOS activity, then only looking for anomalies on the high side makes sense, thus an appropriate use of high_count.
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.