ML jobs

richcollier · March 31, 2020, 11:37am

Since the datafeed preview looks okay, it seems like the problem is probably with the fact that your windows logs might be ingested more slowly than your linux logs, thus the real-time nature of the ML job is undermined.

You could test this theory by doing the following:

Go to the ML Anomaly Detection Jobs page.
Clone the windows_anomalous_process_creation job
Have the job run on some past data.
Continue to run the data in "real-time"
If the number of processed records doesn't increase after entering real-time mode (and assuming you are still ingesting new Windows logs) - then you know your ingest delay is bigger than what the ML job is accounting for - so you will need to increase the query_delay parameter of the ML job (or figure out why the ingest delay is larger on Windows than Linux)

Topic		Replies	Views
Prebuilt ML jobs fail SIEM elastic-stack-machine-learning	10	700	May 18, 2020
Machine Learning Real-Time Job stopping after initial run Elasticsearch elastic-stack-machine-learning	9	4041	September 14, 2017
Machine Learning datafeed skipping documents that seem to be there Elasticsearch elastic-stack-machine-learning	14	4357	April 9, 2019
ML Datafeed lookback retrieved no data Elasticsearch elastic-stack-machine-learning	10	2539	April 17, 2018
Datafeed has been retrieving no data for a while Elasticsearch elastic-stack-machine-learning	5	1858	April 16, 2020

ML jobs

Related topics