Real time multi metric job analysis

anomalyml · November 16, 2017, 7:16am

Hi,

Could anyone explain in detail what the "Interval" option is for in creating a watch for real-time job?

Pic_1

The explanation provided in the documents are not elaborative and therefore any help would be appreciated.

Thanks.

James_Gowdy · November 20, 2017, 4:59pm

Hi,

The interval is the period of time over which the watch's search will look for anomalies.
In the search this translates to:

"range": {
  "timestamp": {
    "gte": "now-10m"
  }
}

The watch will run at a specified interval and it will look back over the last 10 minutes to search for anomalies.

We realised the UI is not clear here and so in version 6.0 we have changed it slightly to hopefully make it clearer.
It now looks like this:

I hope this makes it clearer.

Cheers,
James

anomalyml · November 21, 2017, 5:28am

Hi James,

Thanks for the explanation.

In the case if I mention the time range as 'Now - 10m', will the watch run for every 10 minutes taking the last 10 minutes data from that timestamp or the watch constantly runs at predefined system fixed intervals taking the last 10 minute data from that timestamp?

Thanks.

James_Gowdy · November 21, 2017, 9:03am

Hi,

Yes, the last part of your question correctly describes the behaviour.
When the watch is created it is given a trigger interval of a random number between 60s and 120s.
This is to try to avoid the situation where all watches might fire at the same time.
So, say the trigger interval is 88s, the watch's search will run every 88s and look back over the last 10mins of anomaly data.

We appreciate that this may result in anomalies being reported multiple times. If it is the case that you are finding the watch is producing too much noise, you can edit it and increase the triggers interval.

I would recommend always setting trigger interval to be lower than the search interval as you need to leave some time for the anomaly results to be created and written to our results index.
Otherwise there is a chance the watches search will miss results. This is why by default we have such a large difference between the trigger interval and the search interval.
It's better to report on a result twice than to miss it entirely.

I hope this helps.
Cheers,
James

anomalyml · November 22, 2017, 10:49am

Hi James,

Thanks for the explanation.

Regards

system · December 20, 2017, 10:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.