Question on how to choose the aggregations for ML job

I have the documents which contains the Response codes like 200,400, 500.
Now i have to create the ML job it should filter the documents which contains the response codes other than 200 treated as Anomalies.
Below are the fields looks like
@timestamp Nov 8, 2019 @ 05:21:15.401
@version 1
Address http://xxxxxxxxx/services/api/e
Message_Id 33xxxxx
Request_Time Nov 8, 1970 @ 06:21:14.924
Response-Code 200
Response_Payload {"success":true,"message":"Loaded 0 entries","data":,"total":"0","metaData":{"root":"data","fields":
I have added data feed as
{
"bool": {
"filter": {
"range": {
"Response-Code": {
"gte": "201"
}
}
}
}
}

Now what is the detector i have to choose to detect Anomalies

Since you are looking for anomalies in occurrence rates, you need to use the count detector.

If you want to count the occurrence rate of every Response-Code individually, you would "split" the analysis by using partition_field_name : Response-Code

  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [
      {
        "function": "count",
        "partition_field_name": "Response-Code"
      }
    ],
    "influencers": [
      "Response-Code"
    ]
  },

Thanks for the solution

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.