We are running two jobs of anomaly detection where for one job we are using 10 min of bucket span and for second one we are using 1 hour bucket span. Query delay is same for both jobs i.e. default value.
For both jobs i was getting data latency warning so i changed for one job to look the difference.
Is there any relation between bucket span and Query Delay ?
To figure out the correct query delay value for your anomaly jobs, do the following:
Create a date_histogram aggregation for the last 24 hours, using the bucket_span value as fixed_interval.
Run this aggregation several times with different delays. For instance, if your bucket span is 10m, you can run the aggregation once, then after 10 minutes, after 20 minutes, etc.
Look at the doc_counts of the results for the same time intervals.
Once the doc_countss for the overlapping histogram buckets no longer change, this gives you the effective query_delay parameter.
Alternatively, if both event time and ingest time for your data are available, you can look at the difference between those to figure out the correct query delay value.
You can also calculate ingest lag as described in this article. This will indicate the query delay you need to set.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.