2017-06-19 21:23:58 -04:00
|
|
|
[role="xpack"]
|
2018-08-31 19:49:24 -04:00
|
|
|
[testenv="platinum"]
|
2017-04-04 18:26:39 -04:00
|
|
|
[[ml-get-bucket]]
|
2018-12-20 13:23:28 -05:00
|
|
|
=== Get buckets API
|
2017-12-14 13:52:49 -05:00
|
|
|
++++
|
2018-12-20 13:23:28 -05:00
|
|
|
<titleabbrev>Get buckets</titleabbrev>
|
2017-12-14 13:52:49 -05:00
|
|
|
++++
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-30 13:52:23 -04:00
|
|
|
Retrieves {anomaly-job} results for one or more buckets.
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-request]]
|
|
|
|
==== {api-request-title}
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2018-12-07 15:34:11 -05:00
|
|
|
`GET _ml/anomaly_detectors/<job_id>/results/buckets` +
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2018-12-07 15:34:11 -05:00
|
|
|
`GET _ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>`
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-06-27 16:58:42 -04:00
|
|
|
[[ml-get-bucket-prereqs]]
|
|
|
|
==== {api-prereq-title}
|
|
|
|
|
|
|
|
* If the {es} {security-features} are enabled, you must have `monitor_ml`,
|
|
|
|
`monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also
|
|
|
|
need `read` index privilege on the index that stores the results. The
|
|
|
|
`machine_learning_admin` and `machine_learning_user` roles provide these
|
|
|
|
privileges. For more information, see
|
2019-10-07 18:23:19 -04:00
|
|
|
<<security-privileges>> and
|
|
|
|
<<built-in-roles>>.
|
2019-06-27 16:58:42 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-desc]]
|
|
|
|
==== {api-description-title}
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2018-01-15 11:44:08 -05:00
|
|
|
The get buckets API presents a chronological view of the records, grouped by
|
|
|
|
bucket.
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-path-parms]]
|
|
|
|
==== {api-path-parms-title}
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`<job_id>`::
|
2019-12-27 16:30:26 -05:00
|
|
|
(Required, string)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`<timestamp>`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, string) The timestamp of a single bucket result. If you do not
|
|
|
|
specify this parameter, the API returns information about all buckets.
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-request-body]]
|
|
|
|
==== {api-request-body-title}
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`anomaly_score`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, double) Returns buckets with anomaly scores greater or equal than
|
|
|
|
this value.
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`desc`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, boolean)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=desc-results]
|
2017-05-18 11:40:54 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`end`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, string) Returns buckets with timestamps earlier than this time.
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`exclude_interim`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, boolean)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=exclude-interim-results]
|
2017-04-24 13:46:17 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`expand`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, boolean) If true, the output includes anomaly records.
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-12-31 16:21:17 -05:00
|
|
|
`page`.`from`::
|
|
|
|
(Optional, integer) Skips the specified number of buckets.
|
|
|
|
|
|
|
|
`page`.`size`::
|
|
|
|
(Optional, integer) Specifies the maximum number of buckets to obtain.
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`sort`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, string) Specifies the sort field for the requested buckets. By
|
|
|
|
default, the buckets are sorted by the `timestamp` field.
|
2017-05-18 11:40:54 -04:00
|
|
|
|
2019-07-12 11:26:31 -04:00
|
|
|
`start`::
|
2019-12-31 16:21:17 -05:00
|
|
|
(Optional, string) Returns buckets with timestamps after this time.
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-results]]
|
|
|
|
==== {api-response-body-title}
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-12-31 16:21:17 -05:00
|
|
|
The API returns an array of bucket objects, which have the following properties:
|
|
|
|
|
|
|
|
`anomaly_score`::
|
|
|
|
(number) The maximum anomaly score, between 0-100, for any of the bucket
|
|
|
|
influencers. This is an overall, rate-limited score for the job. All the anomaly
|
|
|
|
records in the bucket contribute to this score. This value might be updated as
|
|
|
|
new data is analyzed.
|
|
|
|
|
|
|
|
`bucket_influencers`::
|
|
|
|
(array) An array of bucket influencer objects, which have the following
|
|
|
|
properties:
|
|
|
|
|
|
|
|
`bucket_influencers`.`anomaly_score`:::
|
|
|
|
(number) A normalized score between 0-100, which is calculated for each bucket
|
|
|
|
influencer. This score might be updated as newer data is analyzed.
|
|
|
|
|
|
|
|
`bucket_influencers`.`bucket_span`:::
|
|
|
|
(number)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=bucket-span-results]
|
|
|
|
|
|
|
|
`bucket_influencers`.`initial_anomaly_score`:::
|
|
|
|
(number) The score between 0-100 for each bucket influencer. This score is the
|
|
|
|
initial value that was calculated at the time the bucket was processed.
|
|
|
|
|
|
|
|
`bucket_influencers`.`influencer_field_name`:::
|
|
|
|
(string) The field name of the influencer.
|
|
|
|
|
|
|
|
`bucket_influencers`.`influencer_field_value`:::
|
|
|
|
(string) The field value of the influencer.
|
|
|
|
|
|
|
|
`bucket_influencers`.`is_interim`:::
|
|
|
|
(boolean)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=is-interim]
|
|
|
|
|
|
|
|
`bucket_influencers`.`job_id`:::
|
|
|
|
(string)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
|
|
|
|
|
|
|
|
`bucket_influencers`.`probability`:::
|
|
|
|
(number) The probability that the bucket has this behavior, in the range 0 to 1.
|
|
|
|
This value can be held to a high precision of over 300 decimal places, so the
|
|
|
|
`anomaly_score` is provided as a human-readable and friendly interpretation of
|
|
|
|
this.
|
|
|
|
|
|
|
|
`bucket_influencers`.`raw_anomaly_score`:::
|
|
|
|
(number) Internal.
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-12-31 16:21:17 -05:00
|
|
|
`bucket_influencers`.`result_type`:::
|
|
|
|
(string) Internal. This value is always set to `bucket_influencer`.
|
|
|
|
|
|
|
|
`bucket_influencers`.`timestamp`:::
|
|
|
|
(date) The start time of the bucket for which these results were calculated.
|
|
|
|
|
|
|
|
`bucket_span`::
|
|
|
|
(number)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=bucket-span-results]
|
|
|
|
|
|
|
|
`event_count`::
|
|
|
|
(number) The number of input data records processed in this bucket.
|
|
|
|
|
|
|
|
`initial_anomaly_score`::
|
|
|
|
(number) The maximum `anomaly_score` for any of the bucket influencers. This is
|
|
|
|
the initial value that was calculated at the time the bucket was processed.
|
|
|
|
|
|
|
|
`is_interim`::
|
|
|
|
(boolean)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=is-interim]
|
|
|
|
|
|
|
|
`job_id`::
|
|
|
|
(string)
|
|
|
|
include::{docdir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
|
|
|
|
|
|
|
|
`processing_time_ms`::
|
|
|
|
(number) The amount of time, in milliseconds, that it took to analyze the bucket
|
|
|
|
contents and calculate results.
|
|
|
|
|
|
|
|
`result_type`::
|
|
|
|
(string) Internal. This value is always set to `bucket`.
|
|
|
|
|
|
|
|
`timestamp`::
|
|
|
|
(date) The start time of the bucket. This timestamp uniquely identifies the
|
|
|
|
bucket.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
NOTE: Events that occur exactly at the timestamp of the bucket are included in
|
|
|
|
the results for the bucket.
|
|
|
|
|
|
|
|
--
|
2017-04-10 19:14:26 -04:00
|
|
|
|
2019-06-27 12:42:47 -04:00
|
|
|
[[ml-get-bucket-example]]
|
|
|
|
==== {api-examples-title}
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2019-09-06 11:31:13 -04:00
|
|
|
[source,console]
|
2017-04-10 19:14:26 -04:00
|
|
|
--------------------------------------------------
|
2019-12-31 16:21:17 -05:00
|
|
|
GET _ml/anomaly_detectors/low_request_rate/results/buckets
|
2017-04-10 19:14:26 -04:00
|
|
|
{
|
|
|
|
"anomaly_score": 80,
|
|
|
|
"start": "1454530200001"
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2019-12-31 16:21:17 -05:00
|
|
|
// TEST[skip:Kibana sample data]
|
2017-04-10 19:14:26 -04:00
|
|
|
|
|
|
|
In this example, the API returns a single result that matches the specified
|
|
|
|
score and time constraints:
|
2017-04-21 11:23:27 -04:00
|
|
|
[source,js]
|
2017-04-04 18:26:39 -04:00
|
|
|
----
|
|
|
|
{
|
2019-12-31 16:21:17 -05:00
|
|
|
"count" : 1,
|
|
|
|
"buckets" : [
|
2017-04-10 19:14:26 -04:00
|
|
|
{
|
2019-12-31 16:21:17 -05:00
|
|
|
"job_id" : "low_request_rate",
|
|
|
|
"timestamp" : 1578398400000,
|
|
|
|
"anomaly_score" : 91.58505459594764,
|
|
|
|
"bucket_span" : 3600,
|
|
|
|
"initial_anomaly_score" : 91.58505459594764,
|
|
|
|
"event_count" : 0,
|
|
|
|
"is_interim" : false,
|
|
|
|
"bucket_influencers" : [
|
2017-04-10 19:14:26 -04:00
|
|
|
{
|
2019-12-31 16:21:17 -05:00
|
|
|
"job_id" : "low_request_rate",
|
|
|
|
"result_type" : "bucket_influencer",
|
|
|
|
"influencer_field_name" : "bucket_time",
|
|
|
|
"initial_anomaly_score" : 91.58505459594764,
|
|
|
|
"anomaly_score" : 91.58505459594764,
|
|
|
|
"raw_anomaly_score" : 0.5758246639716365,
|
|
|
|
"probability" : 1.7340849573442696E-4,
|
|
|
|
"timestamp" : 1578398400000,
|
|
|
|
"bucket_span" : 3600,
|
|
|
|
"is_interim" : false
|
2017-04-10 19:14:26 -04:00
|
|
|
}
|
|
|
|
],
|
2019-12-31 16:21:17 -05:00
|
|
|
"processing_time_ms" : 0,
|
|
|
|
"result_type" : "bucket"
|
2017-04-04 18:26:39 -04:00
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2019-12-31 16:21:17 -05:00
|
|
|
----
|