Using 2 function in same ML Job

mgarg123 · January 29, 2018, 7:40pm

Hi,

I have a use case where I would like to identify anomalies in the unusual time of day user logins from the unusual geo-location (latitude - longitude). From my understanding I'll have to use 2 function in the same ML job (Suppose user ABC logins in during the day from a particular geo-location. suddenly user ABC logged @ night from different Geo-Location. I should be able to detect this anomaly). How I can create this ML job.

time_of_day
lang-lat.
As per my understanding I can't use to different function in the same detector. Can some one please provide me with some solutions. I am using 5.6.6 x-pack.

Thanks,

richcollier · January 29, 2018, 8:25pm

Hello - in order to get more than one "function", you'll need to create the job using the Advanced Job (or the API) and create more than one "detector". For example here's a job with 2 detectors:

mgarg123 · January 29, 2018, 8:31pm

Hi Rich,

Thanks for replying, I create 2 detector in my Job. But they work independently. IE if the Job has anomalies in the time_of_day user logged in, job will display that anomalies separately and if the user logged in from the different Geo-location it will display it separately. I need anomaly to be detected on usual time_of_day usual logged and from different Geo-Location that I.E time_of_day user logged in is not usual and so is his/her geo-location.

Thanks for all your help.

richcollier · January 29, 2018, 8:56pm

I see - sorry for misunderstanding originally.

You are correct - the detectors work independently.

One way that you could get the functionality that you want is to put the tests in two separate jobs, then use Watcher to query their results and look for the common user (influencer).

You might have to use a chained_input watch, where the first query of the chain queries the results of the two jobs (perhaps using the v6.1 "overall buckets" API to see if both jobs have anomalies in the same bucket of time, then use the second query of the chain to determine if the influencer values.

There's probably more than one way to accomplish this, but sounds like an interesting challenge. Good luck!

More info: https://www.elastic.co/blog/alerting-on-machine-learning-jobs-in-elasticsearch-v55

mgarg123 · January 29, 2018, 9:05pm

Rich,

Can you direct me to an examples of chaining multiple bucket eample ? I am using 5.6.3 x-pack.

richcollier · January 29, 2018, 9:07pm

github.com

elastic/examples/blob/master/Alerting/Sample Watches/ml_examples/bucket_record_chain_watch.json

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "metadata": {
    "min_anomaly_score": 75
  },
  "input": {
    "chain": {
      "inputs": [
        {
          "first": {
            "search": {
              "request": {
                "indices": [
                  ".ml-anomalies-*"
                ],
                "body": {

This file has been truncated. show original

system · February 26, 2018, 9:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.