'View examples' for mlcategory detector hangs browser (6.0.0-rc1)

I have created a job using count by mlcategory on a message field. In the Anomaly Explorer I get anomalies, and in the links column there is an Open link / View examples link. In the next column we have category examples displayed.

In Chrome, when I select the View Examples link the page hangs. What is this supposed to do?

Hi,

Thanks for the question. The 'View Examples' link should be opening up the Kibana Discover page to show the documents which match the category of the selected anomaly. The link will open the Discover page in a separate tab/window. Can you just confirm that you have popup windows enabled in Chrome for your Kibana host (by default popups may be blocked, as indicated by a warning icon on the right of the Chrome address bar).

Thanks
Pete

I don't think it is a pop-up blocker for two reasons.

Firstly, for a simple count job "Open link / View series" successfully opens the Single Metric Viewer in a new tab.

Secondly, the page really is hung. Nothing on the page will respond. Chrome (Version 61.0.3163.79 (Official Build) (32-bit)) is using 50% of the CPU (on a dual-CPU system). Eventually I get a message about "The following page has become unresponsive" and I have to kill it.

OK, thanks for confirming it wasn't down to the popup window being blocked. This sounds like a bug then. I will try to reproduce on some datasets with my setup here.

Do you know if the field you are using as the categorization field is of type keyword or text? Also, would it be possible to paste in a screenshot of the table of your anomalies that you are trying the 'View examples' link on, so that I can get an idea of the text in the categories ML found in your data?

What should be happening, is that 'View examples' on the first row in the table here:

opens up the Discover page to show the documents matching the category:

Note the format of the search run in the Discover page will depend on whether the categorization field is of type text or keyword. This example was on a keyword field.

Thanks
Pete

Same problem for both text and keyword. I am capturing event logs using winlogbeat. I was initially categorizing event_data.param1, which is a keyword, but I just tried it with message which is text and I have the same problem. Filters are '.Event message:' and 'Event time:.' so it just categorizes the message.

Thanks for the extra details on your categorization job. I have now managed to reproduce the issue, with the browser hanging on datasets I have on my setup. I found it occurred for any of the following scenarios:

  1. When a wildcarded index pattern is entered for the job's datafeed configuration e.g. filebeat-6.0.0-beta1-2017.02.*
  2. When the categorization field is a nested Object type
  3. When the categorization field is a multi-field (https://www.elastic.co/guide/en/elasticsearch/reference/current/multi-fields.html), with the categorization field mapped as a keyword as well as a text field, and the keyword version has been entered as the categorization field name.

It sounds like viewing examples for your first configuration using event_data.param1 falls into the second category above. I ran a job categorizing a nested Object field in nginx access logs ingested with filebeat, and the View Examples link did cause the browser the hang as you reported.

A fix for the three scenarios listed above should make it in to the ML plugin for v6.0.1. Any of those scenarios was making the code enter an infinite loop as it attempted to obtain the mapping type of the categorization field.

Does it sound like your second attempt, categorizing the text type message field would fall into one of the three categories above?

Regards
Pete

1 Like

I almost always use wildcard index patterns. In fact it has always puzzled me why ML doesn't let you select from the existing index patterns :wink:

1 Like

OK, sounds like the fix to the View Examples functionality lined up for v6.0.1 should fix both the examples you described, addressing wildcard index patterns and nested Object type mappings.

Thanks for raising the issue and your help in getting to the root cause! Apologies that you will need to wait for 6.0.1 for the fix.

Pete

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.