Hi @richcollier, thank you for your reply. I have increased the interval and it looks working for missed results. however I found another inconsistency in the results which I'm not sure if related to interval or not - I had another watcher looking at a ML job results with a 10min bucket span and query_delay around 15min. Watcher has a timestamp filter with the following config to be sure all the results are written and final. I noticed that a execution of watcher has fired for a record with a record_score of 85 which I couldn't find in ml-anomalies results. However I found a record with the same values (timestamp, typical, actual, ..) and a record_score=24 and initial_record_score=85. So it looks that the score has been updated after bucket results have been finalized (is_interim:false). Is that an expected behavior? I was expecting that the score normalization happen before is_interim:false are written.
"filter": {
"range": {
"timestamp": {
"gte": "now-3h/h",
"lt": "now-1h/h"
}}},
"must": [ {
"terms": {
"result_type": [
"record"
] } },
{
"range": {
"record_score": {
"gt": 75}}},
{
"range": {
"multi_bucket_impact": {
"lt": 2}}},
{
"match": {
"is_interim": false}}
]