Query for anomaly explorer visualization

ElasticLiver · April 21, 2021, 5:09am

Hi Im trying to emulate the anomaly explorer in a vega visualization, at first I think that a top hit agreggation will get me similar results, like this query:

POST /.ml-anomalies-*/_search
{
  "size": 0, 
  "aggs": {
    "top_score": {
      "top_hits": {
        "sort": [
          {
            "record_score": {
              "order": "desc"
            }
          }
        ],
        "_source": {
          "includes": [
            "actual",
            "typical",
            "partition_field_value",
            "record_score",
            "timestamp",
            "by_field"
          ]
        },
        "size": 10
      }
    }
  }
}

but after seeing this anomaly explorer for a job, I realize that is more than just a top hit aggregation

what will be the query to obtain similar results and display them in vega?

darnautov · April 28, 2021, 11:42am

Hey @ElasticLiver,

First, may I ask what elastic stack version you're using? Since 7.8 we provide the anomaly swim lane embeddable and since 7.9, you can attach to the dashboard directly from the Anomaly Explorer page.

If you still prefer to write a query manually, it depends on the anomaly results you are interested in. Is it the Overall swim lane, View by an influencer, or View by job id?

system · May 26, 2021, 11:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.