Watcher alerts 7.5 interval and bucket span

Why if its recomended that the interval of a watch has to be equal to twice the defined bucket_span for the job. , when I create an anomaly detection alert in the kibana GUI, the interval is set to aprox. one minute?

my bucket span is 15 minutes, so in the creation of the watch, the bucket span is not taken in to consideration automatically?

It's because the timestamp of the documents in .ml-anomalies-* are written with a value that is the leading edge of the bucket_span. So results from 12:00-12:15 will be written with a timestamp of 12:00 - but they won't be "finalized" until some short amount of time after 12:15. Well, actually, 12:15+query_delay+whatever time it takes the analytics to run. So, using a look-back interval of 2* bucket_span will ensure nothing gets "missed".

In the Kibana GUI, the one minute setting is the "frequency" of the check for an alert condition, not the look-back window (which is indeed set to 2* bucket_span (although some optimizations are being made. See:

1 Like

Hi Rich, sorry english is not my native language, so this value "interval" must be 2*bucket_span?


No worries about language!

No, the interval of the watch is NOT what I'm talking about. The interval is how often the watch is executed.

The "lookback" period of the watch is in the range of the query itself as in:

                  "range": {
                    "timestamp": {
                      "gte": "now-30m"

This value (in this case, the 30m) should be the value that is 2*bucket_span.

If the interval value is short (like 1m), the watch will run the query very frequently. This is good because it gives the fastest time to notification, but then you might have to deal with duplicate alerts since the information returned from the query is not changing as fast as you're checking it.

Hope that helps

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.