The actual value in your case is the sum(field) within the time range of :
(bucket_time,bucket_time+30m]
meaning inclusive of the start of the bucket, but 1ms shy of the end time. So, for example, here's an anomaly that shows the actual value of "6386" between 5:45am and 6:00am
However, the reality is, this is the value between 05:45:00.000 and 05:59:59.999 as seen by this Kibana visualization:
For reference, if the end-time of the kibana visualization was 06:00:00.000, the sum would actually be different because there is a document in this index with that timestamp, thus increasing the sum:
Bottom line, the bucket that ML uses is "up to but not including" the end time.