Hey folks,
We're running a couple of ML jobs for anomaly detection with mail alerts. For faster detection of false alerts I would like to extend the alert with the values from 'actual' and 'typical'.
The documentation specifies that the values are available, but shows no details on the syntax to add them.
We're currently using the default alert template:
Elastic Stack Machine Learning Alert:
- Job IDs: {{context.jobIds}}
- Time: {{context.timestampIso8601}}
- Anomaly score: {{context.score}}
{{context.message}}
{{#context.topInfluencers.length}}
Top influencers:
{{#context.topInfluencers}}
{{influencer_field_name}} = {{influencer_field_value}} [{{score}}]
{{/context.topInfluencers}}
{{/context.topInfluencers.length}}
{{#context.topRecords.length}}
Top records:
{{#context.topRecords}}
{{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}]
{{/context.topRecords}}
{{/context.topRecords.length}}
{{! Replace kibanaBaseUrl if not configured in Kibana }}
[Open in Anomaly Explorer]({{{kibanaBaseUrl}}}{{{context.anomalyExplorerUrl}}})
I tried several variations but the fields came always back empty:
{{#context.topRecords.length}}
Top records:
{{#context.topRecords}}
{{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}]
{{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{typical}}]
{{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{actual}}]
{{/context.topRecords}}
{{/context.topRecords.length}}
-> Top records: count() [86] count() count()
{{#context.topRecords.length}}
Top records:
{{#context.topRecords}}
{{function}}({{field_name}}) {{by_field_value}} {{over_field_value}} {{partition_field_value}} [{{score}}] Actual: [{{actual}}] Typical: [{{typical}}]
{{/context.topRecords}}
{{/context.topRecords.length}}
-> Top records: count() [99] Actual: Typical:
Could you kindly help me in which direction to look?
