Showing 'actual' & 'typical' values in ML anomaly detection alert

nospace · January 10, 2023, 9:19am

Hey folks,

We're running a couple of ML jobs for anomaly detection with mail alerts. For faster detection of false alerts I would like to extend the alert with the values from 'actual' and 'typical'.

The documentation specifies that the values are available, but shows no details on the syntax to add them.

We're currently using the default alert template:

Elastic Stack Machine Learning Alert:
- Job IDs: {{context.jobIds}}
- Time: {{context.timestampIso8601}}
- Anomaly score: {{context.score}}

{{context.message}}

{{#context.topInfluencers.length}}
  Top influencers:
  {{#context.topInfluencers}}
    {{influencer_field_name}} = {{influencer_field_value}} [{{score}}]
  {{/context.topInfluencers}}
{{/context.topInfluencers.length}}

{{#context.topRecords.length}}
  Top records:
  {{#context.topRecords}}
    {{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}]
  {{/context.topRecords}}
{{/context.topRecords.length}}

{{! Replace kibanaBaseUrl if not configured in Kibana }}
[Open in Anomaly Explorer]({{{kibanaBaseUrl}}}{{{context.anomalyExplorerUrl}}})

I tried several variations but the fields came always back empty:

{{#context.topRecords.length}}
  Top records:
  {{#context.topRecords}}
    {{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}]
    {{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{typical}}]
    {{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{actual}}]
  {{/context.topRecords}}
{{/context.topRecords.length}}

-> Top records: count() [86] count() count()

{{#context.topRecords.length}}
  Top records:
  {{#context.topRecords}}
    {{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}] Actual: [{{actual}}] Typical: [{{typical}}]
  {{/context.topRecords}}
{{/context.topRecords.length}}

-> Top records: count() [99] Actual: Typical:

Could you kindly help me in which direction to look?

darnautov · January 25, 2023, 9:47am

Hi @nospace,

What is the Kibana version you're using? Actual and Typical values were added to the alerting context in 8.1. The default alert template has been updated accordingly.

Hope it helps.

nospace · January 25, 2023, 9:56am

Hey @darnautov,

Thx for having a look, this helped indeed.

Our cluster still runs an earlier supported version and I didn't realise that the feature was added later. Guess I gonna poke the infrastructure team for an update

Thanks again

system · February 22, 2023, 9:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Machine Learning Job Alert Kibana elastic-stack-machine-learning	8	487	August 28, 2023
Machine Learning - Confused on Typical vs Actual Values Elasticsearch elastic-stack-machine-learning	4	1329	March 26, 2020
Watcher email body message to send some parameters in anomaly explorer Kibana elastic-stack-monitoring , elastic-stack-machine-learning	7	1346	January 30, 2020
Actual value Elasticsearch elastic-stack-machine-learning	0	108	May 9, 2024
Is it possible to include the Anomaly Explorer screenshot in the watcher sent email Elasticsearch elastic-stack-machine-learning	2	436	April 7, 2020

Showing 'actual' & 'typical' values in ML anomaly detection alert

Related topics