Question on how to choose the aggregations for ML job

satyam2593 · November 8, 2019, 5:32am

I have the documents which contains the Response codes like 200,400, 500.
Now i have to create the ML job it should filter the documents which contains the response codes other than 200 treated as Anomalies.
Below are the fields looks like
@timestamp Nov 8, 2019 @ 05:21:15.401
@version 1
Address http://xxxxxxxxx/services/api/e
Message_Id 33xxxxx
Request_Time Nov 8, 1970 @ 06:21:14.924
Response-Code 200
Response_Payload {"success":true,"message":"Loaded 0 entries","data":,"total":"0","metaData":{"root":"data","fields":
I have added data feed as
{
"bool": {
"filter": {
"range": {
"Response-Code": {
"gte": "201"
}
}
}
}
}

Now what is the detector i have to choose to detect Anomalies

richcollier · November 11, 2019, 1:08pm

Since you are looking for anomalies in occurrence rates, you need to use the count detector.

If you want to count the occurrence rate of every Response-Code individually, you would "split" the analysis by using partition_field_name : Response-Code

  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [
      {
        "function": "count",
        "partition_field_name": "Response-Code"
      }
    ],
    "influencers": [
      "Response-Code"
    ]
  },

satyam2593 · November 12, 2019, 5:12am

Thanks for the solution

system · December 10, 2019, 5:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.