[DOCS] Add snapshot API examples
Original commit: elastic/x-pack-elasticsearch@8928c3c1be
This commit is contained in:
parent
a0771019a5
commit
298ee9f554
|
@ -62,6 +62,11 @@ include::ml/validate-job.asciidoc[]
|
||||||
[[ml-api-snapshot-endpoint]]
|
[[ml-api-snapshot-endpoint]]
|
||||||
=== Model Snapshots
|
=== Model Snapshots
|
||||||
|
|
||||||
|
* <<ml-delete-snapshot,Delete model snapshots>>
|
||||||
|
* <<ml-get-snapshot,Get model snapshots>>
|
||||||
|
* <<ml-revert-snapshot,Revert model snapshots>>
|
||||||
|
* <<ml-update-snapshot,Update model snapshots>>
|
||||||
|
|
||||||
include::ml/delete-snapshot.asciidoc[]
|
include::ml/delete-snapshot.asciidoc[]
|
||||||
include::ml/get-snapshot.asciidoc[]
|
include::ml/get-snapshot.asciidoc[]
|
||||||
include::ml/revert-snapshot.asciidoc[]
|
include::ml/revert-snapshot.asciidoc[]
|
||||||
|
@ -83,6 +88,13 @@ include::ml/get-record.asciidoc[]
|
||||||
[[ml-api-definitions]]
|
[[ml-api-definitions]]
|
||||||
=== Definitions
|
=== Definitions
|
||||||
|
|
||||||
|
* <<ml-datafeed-resource,Data feeds>>
|
||||||
|
* <<ml-datafeed-counts,Data feed counts>>
|
||||||
|
* <<ml-job-resource,Jobs>>
|
||||||
|
* <<ml-jobcounts,Job counts>>
|
||||||
|
* <<ml-snapshot-resource,Model snapshots>>
|
||||||
|
* <<ml-results-resource,Results>>
|
||||||
|
|
||||||
include::ml/datafeedresource.asciidoc[]
|
include::ml/datafeedresource.asciidoc[]
|
||||||
include::ml/jobresource.asciidoc[]
|
include::ml/jobresource.asciidoc[]
|
||||||
include::ml/jobcounts.asciidoc[]
|
include::ml/jobcounts.asciidoc[]
|
||||||
|
|
|
@ -48,8 +48,7 @@ The get data feed statistics API provides information about the operational
|
||||||
progress of a data feed. For example:
|
progress of a data feed. For example:
|
||||||
|
|
||||||
`assigment_explanation`::
|
`assigment_explanation`::
|
||||||
TBD
|
TBD. For example: ""
|
||||||
For example: ""
|
|
||||||
|
|
||||||
`node`::
|
`node`::
|
||||||
(+object+) TBD
|
(+object+) TBD
|
||||||
|
@ -61,5 +60,5 @@ progress of a data feed. For example:
|
||||||
`state`::
|
`state`::
|
||||||
(+string+) The status of the data feed,
|
(+string+) The status of the data feed,
|
||||||
which can be one of the following values:
|
which can be one of the following values:
|
||||||
* started:: The data feed is actively receiving data.
|
started:: The data feed is actively receiving data.
|
||||||
* stopped:: The data feed is stopped and will not receive data until it is re-started.
|
stopped:: The data feed is stopped and will not receive data until it is re-started.
|
||||||
|
|
|
@ -7,21 +7,15 @@ The delete model snapshot API allows you to delete an existing model snapshot.
|
||||||
|
|
||||||
`DELETE _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>`
|
`DELETE _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>`
|
||||||
|
|
||||||
////
|
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
All job configuration, model state and results are deleted.
|
IMPORTANT: You cannot delete the active model snapshot. To delete that snapshot,
|
||||||
|
first revert to a different one.
|
||||||
|
|
||||||
IMPORTANT: Deleting a job must be done via this API only. Do not delete the
|
//TBD: Where do you see restorePriority? Per old docs, the active model snapshot
|
||||||
job directly from the `.ml-*` indices using the Elasticsearch
|
//is "...the snapshot with the highest restorePriority".
|
||||||
DELETE Document API. When {security} is enabled, make sure no `write`
|
|
||||||
privileges are granted to anyone over the `.ml-*` indices.
|
|
||||||
|
|
||||||
Before you can delete a job, you must delete the data feeds that are associated with it.
|
|
||||||
//See <<>>.
|
|
||||||
|
|
||||||
It is not currently possible to delete multiple jobs using wildcards or a comma separated list.
|
|
||||||
////
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
`job_id` (required)::
|
`job_id` (required)::
|
||||||
|
|
|
@ -38,20 +38,19 @@ The API returns the following usage information:
|
||||||
|
|
||||||
`state`::
|
`state`::
|
||||||
(+string+) The status of the job, which can be one of the following values:
|
(+string+) The status of the job, which can be one of the following values:
|
||||||
|
`open`::: The job is actively receiving and processing data.
|
||||||
|
`closed`::: The job finished successfully with its model state persisted.
|
||||||
|
The job is still available to accept further data.
|
||||||
|
`closing`::: TBD
|
||||||
|
`failed`::: The job did not finish successfully due to an error.
|
||||||
|
This situation can occur due to invalid input data. In this case,
|
||||||
|
sending corrected data to a failed job re-opens the job and
|
||||||
|
resets it to an open state.
|
||||||
|
|
||||||
open:: The job is actively receiving and processing data.
|
NOTE: If you send data in a periodic cycle and close the job at the end of
|
||||||
|
each transaction, the job is marked as closed in the intervals between
|
||||||
closed:: The job finished successfully with its model state persisted.
|
when data is sent. For example, if data is sent every minute and it takes
|
||||||
The job is still available to accept further data.
|
1 second to process, the job has a closed state for 59 seconds.
|
||||||
|
|
||||||
closing:: TBD
|
|
||||||
|
|
||||||
NOTE: If you send data in a periodic cycle and close the job at the end of each transaction,
|
|
||||||
the job is marked as closed in the intervals between when data is sent.
|
|
||||||
For example, if data is sent every minute and it takes 1 second to process, the job has a closed state for 59 seconds.
|
|
||||||
|
|
||||||
failed:: The job did not finish successfully due to an error. NOTE: This can occur due to invalid input data.
|
|
||||||
In this case, sending corrected data to a failed job re-opens the job and resets it to a running state.
|
|
||||||
|
|
||||||
////
|
////
|
||||||
===== Responses
|
===== Responses
|
||||||
|
|
|
@ -55,11 +55,11 @@ The get records API allows you to retrieve anomaly records for a job.
|
||||||
|
|
||||||
===== Results
|
===== Results
|
||||||
|
|
||||||
The API returns the following information:
|
The API returns the following information:
|
||||||
|
|
||||||
`records`::
|
`records`::
|
||||||
(+array+) An array of record objects. For more information, see
|
(+array+) An array of record objects. For more information, see
|
||||||
<<ml-results-records,Records>>.
|
<<ml-results-records,Records>>.
|
||||||
|
|
||||||
////
|
////
|
||||||
===== Responses
|
===== Responses
|
||||||
|
|
|
@ -19,20 +19,44 @@ OUTDATED?: The get job API can also be applied to all jobs by using `_all` as th
|
||||||
(+string+) Identifier for the job.
|
(+string+) Identifier for the job.
|
||||||
|
|
||||||
`snapshot_id`::
|
`snapshot_id`::
|
||||||
(+string+) Identifier for the job. If you do not specify this optional parameter,
|
(+string+) Identifier for the model snapshot. If you do not specify this optional parameter,
|
||||||
the API returns information about all model snapshots that you have authority to view.
|
the API returns information about all model snapshots that you have authority to view.
|
||||||
|
|
||||||
////
|
===== Request Body
|
||||||
|
|
||||||
|
`desc`::
|
||||||
|
(+boolean+) If true, the results are sorted in descending order.
|
||||||
|
|
||||||
|
`description`::
|
||||||
|
(+string+) Returns snapshots that match this description.
|
||||||
|
//TBD: I couldn't get this to work. What description value is it using?
|
||||||
|
NOTE: It might be necessary to URL encode the description.
|
||||||
|
|
||||||
|
`end`::
|
||||||
|
(+date+) Returns snapshots with timestamps earlier than this time.
|
||||||
|
|
||||||
|
`from`::
|
||||||
|
(+integer+) Skips the specified number of snapshots.
|
||||||
|
|
||||||
|
`size`::
|
||||||
|
(+integer+) Specifies the maximum number of snapshots to obtain.
|
||||||
|
|
||||||
|
`sort`::
|
||||||
|
(+string+) Specifies the sort field for the requested snapshots.
|
||||||
|
//By default, the snapshots are sorted by the xxx value.
|
||||||
|
|
||||||
|
`start`::
|
||||||
|
(+string+) Returns snapshots with timestamps after this time.
|
||||||
|
|
||||||
===== Results
|
===== Results
|
||||||
|
|
||||||
The API returns information about the job resource. For more information, see
|
The API returns the following information:
|
||||||
<<ml-job-resource,job resources>>.
|
|
||||||
|
|
||||||
===== Query Parameters
|
`model_snapshots`::
|
||||||
|
(+array+) An array of model snapshot objects. For more information, see
|
||||||
`_stats`::
|
<<ml-snapshot-resource,Model Snapshots>>.
|
||||||
(+boolean+; default: ++true++) If true (default false), will just validate the cluster definition but will not perform the creation
|
|
||||||
|
|
||||||
|
////
|
||||||
===== Responses
|
===== Responses
|
||||||
|
|
||||||
200
|
200
|
||||||
|
@ -41,46 +65,50 @@ The API returns information about the job resource. For more information, see
|
||||||
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
||||||
412
|
412
|
||||||
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
||||||
|
////
|
||||||
|
|
||||||
===== Examples
|
===== Examples
|
||||||
|
|
||||||
.Example results for a single job
|
The following example gets model snapshot information for the
|
||||||
|
`it_ops_new_logs` job:
|
||||||
|
|
||||||
|
[source,js]
|
||||||
|
--------------------------------------------------
|
||||||
|
GET _xpack/ml/anomaly_detectors/it_ops_new_logs/model_snapshots
|
||||||
|
{
|
||||||
|
"start": "1491852977000"
|
||||||
|
}
|
||||||
|
--------------------------------------------------
|
||||||
|
// CONSOLE
|
||||||
|
// TEST[skip:todo]
|
||||||
|
|
||||||
|
In this example, the API provides a single result:
|
||||||
----
|
----
|
||||||
{
|
{
|
||||||
"count": 1,
|
"count": 1,
|
||||||
"jobs": [
|
"model_snapshots": [
|
||||||
{
|
{
|
||||||
"job_id": "it-ops-kpi",
|
"job_id": "it_ops_new_logs",
|
||||||
"description": "First simple job",
|
"timestamp": 1491852978000,
|
||||||
"create_time": 1491007356077,
|
"description": "State persisted due to job close at 2017-04-10T12:36:18-0700",
|
||||||
"finished_time": 1491007365347,
|
"snapshot_id": "1491852978",
|
||||||
"analysis_config": {
|
"snapshot_doc_count": 1,
|
||||||
"bucket_span": "5m",
|
"model_size_stats": {
|
||||||
"latency": "0ms",
|
"job_id": "it_ops_new_logs",
|
||||||
"summary_count_field_name": "doc_count",
|
"result_type": "model_size_stats",
|
||||||
"detectors": [
|
"model_bytes": 100393,
|
||||||
{
|
"total_by_field_count": 13,
|
||||||
"detector_description": "low_sum(events_per_min)",
|
"total_over_field_count": 0,
|
||||||
"function": "low_sum",
|
"total_partition_field_count": 2,
|
||||||
"field_name": "events_per_min",
|
"bucket_allocation_failures_count": 0,
|
||||||
"detector_rules": []
|
"memory_status": "ok",
|
||||||
}
|
"log_time": 1491852978000,
|
||||||
],
|
"timestamp": 1455229800000
|
||||||
"influencers": [],
|
|
||||||
"use_per_partition_normalization": false
|
|
||||||
},
|
},
|
||||||
"data_description": {
|
"latest_record_time_stamp": 1455232663000,
|
||||||
"time_field": "@timestamp",
|
"latest_result_time_stamp": 1455229800000,
|
||||||
"time_format": "epoch_ms"
|
"retain": false
|
||||||
},
|
|
||||||
"model_plot_config": {
|
|
||||||
"enabled": true
|
|
||||||
},
|
|
||||||
"model_snapshot_retention_days": 1,
|
|
||||||
"model_snapshot_id": "1491007364",
|
|
||||||
"results_index_name": "shared"
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
////
|
|
||||||
|
|
|
@ -18,9 +18,10 @@ A `data_counts` object has the following properties:
|
||||||
`processed_record_count`::
|
`processed_record_count`::
|
||||||
(+long+) The number of records that have been processed by the job.
|
(+long+) The number of records that have been processed by the job.
|
||||||
This value includes records with missing fields, since they are nonetheless analyzed.
|
This value includes records with missing fields, since they are nonetheless analyzed.
|
||||||
|
+
|
||||||
The following records are not processed:
|
The following records are not processed:
|
||||||
* Records not in chronological order and outside the latency window
|
* Records not in chronological order and outside the latency window
|
||||||
* Records with invalid timestamps
|
* Records with invalid timestamp
|
||||||
* Records filtered by an exclude transform
|
* Records filtered by an exclude transform
|
||||||
|
|
||||||
`processed_field_count`::
|
`processed_field_count`::
|
||||||
|
@ -107,11 +108,9 @@ NOTE: The `over` field values are counted separately for each detector and parti
|
||||||
|
|
||||||
`memory_status`::
|
`memory_status`::
|
||||||
(+string+) The status of the mathematical models. This property can have one of the following values:
|
(+string+) The status of the mathematical models. This property can have one of the following values:
|
||||||
"ok":: The models stayed below the configured value.
|
`ok`::: The models stayed below the configured value.
|
||||||
"soft_limit":: The models used more than 60% of the configured memory limit and older unused models will
|
`soft_limit`::: The models used more than 60% of the configured memory limit and older unused models will be pruned to free up space.
|
||||||
be pruned to free up space.
|
`hard_limit`::: The models used more space than the configured memory limit. As a result, not all incoming data was processed.
|
||||||
"hard_limit":: The models used more space than the configured memory limit. As a result,
|
|
||||||
not all incoming data was processed.
|
|
||||||
|
|
||||||
`log_time`::
|
`log_time`::
|
||||||
TBD
|
TBD
|
||||||
|
|
|
@ -32,62 +32,105 @@ the anomaly records into buckets.
|
||||||
A record object has the following properties:
|
A record object has the following properties:
|
||||||
|
|
||||||
`actual`::
|
`actual`::
|
||||||
TBD. For example, [633].
|
(+number+) The actual value for the bucket.
|
||||||
|
|
||||||
`bucket_span`::
|
`bucket_span`::
|
||||||
TBD. For example, 600.
|
(+number+) The length of the bucket in seconds.
|
||||||
|
This value matches the `bucket_span` that is specified in the job.
|
||||||
|
|
||||||
|
//`byFieldName`::
|
||||||
|
//TBD: This field did not appear in my results, but it might be a valid property.
|
||||||
|
// (+string+) The name of the analyzed field, if it was specified in the detector.
|
||||||
|
|
||||||
|
//`byFieldValue`::
|
||||||
|
//TBD: This field did not appear in my results, but it might be a valid property.
|
||||||
|
// (+string+) The value of `by_field_name`, if it was specified in the detecter.
|
||||||
|
|
||||||
|
//`causes`
|
||||||
|
//TBD: This field did not appear in my results, but it might be a valid property.
|
||||||
|
// (+array+) If an over field was specified in the detector, this property
|
||||||
|
// contains an array of anomaly records that are the causes for the anomaly
|
||||||
|
// that has been identified for the over field.
|
||||||
|
// If no over fields exist. this field will not be present.
|
||||||
|
// This sub-resource contains the most anomalous records for the `over_field_name`.
|
||||||
|
// For scalability reasons, a maximum of the 10 most significant causes of
|
||||||
|
// the anomaly will be returned. As part of the core analytical modeling,
|
||||||
|
// these low-level anomaly records are aggregated for their parent over field record.
|
||||||
|
// The causes resource contains similar elements to the record resource,
|
||||||
|
// namely actual, typical, *FieldName and *FieldValue.
|
||||||
|
// Probability and scores are not applicable to causes.
|
||||||
|
|
||||||
`detector_index`::
|
`detector_index`::
|
||||||
TBD. For example, 0.
|
(+number+) A unique identifier for the detector.
|
||||||
|
|
||||||
|
//`fieldName`::
|
||||||
|
// TBD: This field did not appear in my results, but it might be a valid property.
|
||||||
|
// (+string+) Certain functions require a field to operate on. For those functions,
|
||||||
|
// this is the name of the field to be analyzed.
|
||||||
|
|
||||||
`function`::
|
`function`::
|
||||||
TBD. For example, "low_non_zero_count".
|
(+string+) The function in which the anomaly occurs.
|
||||||
|
|
||||||
`function_description`::
|
`function_description`::
|
||||||
TBD. For example, "count".
|
(+string+) The description of the function in which the anomaly occurs, as
|
||||||
|
specified in the detector configuration information.
|
||||||
|
|
||||||
`influencers`::
|
`influencers`::
|
||||||
TBD. For example, [{
|
(+array+) If `influencers` was specified in the detector configuration, then
|
||||||
"influencer_field_name": "kpi_indicator",
|
this array contains influencers that contributed to or were to blame for an
|
||||||
"influencer_field_values": [
|
anomaly.
|
||||||
"online_purchases"]}].
|
|
||||||
|
|
||||||
`initial_record_score`::
|
`initial_record_score`::
|
||||||
TBD. For example, 94.1386.
|
(++) TBD. For example, 94.1386.
|
||||||
|
|
||||||
`is_interim`::
|
`is_interim`::
|
||||||
TBD. For example, false.
|
(+boolean+) If true, then this anomaly record is an interim result.
|
||||||
|
In other words, it is calculated based on partial input data
|
||||||
|
|
||||||
`job_id`::
|
`job_id`::
|
||||||
TBD. For example, "it_ops_new_kpi".
|
(+string+) A numerical character string that uniquely identifies the job.
|
||||||
|
|
||||||
`kpi_indicator`::
|
`kpi_indicator`::
|
||||||
TBD. For example, ["online_purchases"]
|
(++) TBD. For example, ["online_purchases"]
|
||||||
|
|
||||||
`partition_field_name`::
|
`partition_field_name`::
|
||||||
TBD. For example, "kpi_indicator".
|
(+string+) The name of the partition field that was used in the analysis, if
|
||||||
|
such a field was specified in the detector.
|
||||||
|
|
||||||
|
//`overFieldName`::
|
||||||
|
// TBD: This field did not appear in my results, but it might be a valid property.
|
||||||
|
// (+string+) The name of the over field, if `over_field_name` was specified
|
||||||
|
// in the detector.
|
||||||
|
|
||||||
`partition_field_value`::
|
`partition_field_value`::
|
||||||
TBD. For example, "online_purchases".
|
(+string+) The value of the partition field that was used in the analysis, if
|
||||||
|
`partition_field_name` was specified in the detector.
|
||||||
|
|
||||||
`probability`::
|
`probability`::
|
||||||
TBD. For example, 0.0000772031.
|
(+number+) The probability of the individual anomaly occurring.
|
||||||
|
This value is in the range 0 to 1. For example, 0.0000772031.
|
||||||
|
//This value is held to a high precision of over 300 decimal places.
|
||||||
|
//In scientific notation, a value of 3.24E-300 is highly unlikely and therefore
|
||||||
|
//highly anomalous.
|
||||||
|
|
||||||
`record_score`::
|
`record_score`::
|
||||||
TBD. For example, 94.1386.
|
(+number+) An anomaly score for the bucket time interval.
|
||||||
|
The score is calculated based on a sophisticated aggregation of the anomalies
|
||||||
|
in the bucket.
|
||||||
|
//Use this score for rate-controlled alerting.
|
||||||
|
|
||||||
`result_type`::
|
`result_type`::
|
||||||
TBD. For example, "record".
|
(+string+) TBD. For example, "record".
|
||||||
|
|
||||||
`sequence_num`::
|
`sequence_num`::
|
||||||
TBD. For example, 1.
|
(++) TBD. For example, 1.
|
||||||
|
|
||||||
`timestamp`::
|
`timestamp`::
|
||||||
(+date+) The start time of the bucket that contains the record,
|
(+date+) The start time of the bucket that contains the record, specified in
|
||||||
specified in ISO 8601 format. For example, 1454020800000.
|
ISO 8601 format. For example, 1454020800000.
|
||||||
|
|
||||||
`typical`::
|
`typical`::
|
||||||
TBD. For example, [3596.71].
|
(+number+) The typical value for the bucket, according to analytical modeling.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[ml-results-influencers]]
|
[[ml-results-influencers]]
|
||||||
|
@ -106,42 +149,53 @@ records that contain this influencer.
|
||||||
An influencer object has the following properties:
|
An influencer object has the following properties:
|
||||||
|
|
||||||
`bucket_span`::
|
`bucket_span`::
|
||||||
TBD. For example, 300.
|
(++) TBD. For example, 300.
|
||||||
|
|
||||||
|
// Same as for buckets? i.e. (+unsigned integer+) The length of the bucket in seconds.
|
||||||
|
// This value is equal to the `bucket_span` value in the job configuration.
|
||||||
|
|
||||||
`job_id`::
|
`job_id`::
|
||||||
(+string+) A numerical character string that uniquely identifies the job.
|
(+string+) A numerical character string that uniquely identifies the job.
|
||||||
|
|
||||||
`influencer_score`::
|
`influencer_score`::
|
||||||
TBD. For example: 94.1386.
|
(+number+) An anomaly score for the influencer in this bucket time interval.
|
||||||
|
The score is calculated based upon a sophisticated aggregation of the anomalies
|
||||||
|
in the bucket for this entity. For example: 94.1386.
|
||||||
|
|
||||||
`initial_influencer_score`::
|
`initial_influencer_score`::
|
||||||
TBD. For example, 83.3831.
|
(++) TBD. For example, 83.3831.
|
||||||
|
|
||||||
`influencer_field_name`::
|
`influencer_field_name`::
|
||||||
TBD. For example, "bucket_time".
|
(+string+) The field name of the influencer.
|
||||||
|
|
||||||
`influencer_field_value`::
|
`influencer_field_value`::
|
||||||
TBD. For example, "online_purchases".
|
(+string+) The entity that influenced, contributed to, or was to blame for the
|
||||||
|
anomaly.
|
||||||
|
|
||||||
`is_interim`::
|
`is_interim`::
|
||||||
TBD. For example, false.
|
(+boolean+) If true, then this is an interim result.
|
||||||
|
In other words, it is calculated based on partial input data.
|
||||||
|
|
||||||
`kpi_indicator`::
|
`kpi_indicator`::
|
||||||
TBD. For example, "online_purchases".
|
(++) TBD. For example, "online_purchases".
|
||||||
|
|
||||||
`probability`::
|
`probability`::
|
||||||
TBD. For example, 0.0000109783.
|
(+number+) The probability that the influencer has this behavior.
|
||||||
|
This value is in the range 0 to 1. For example, 0.0000109783.
|
||||||
|
// For example, 0.03 means 3%. This value is held to a high precision of over
|
||||||
|
//300 decimal places. In scientific notation, a value of 3.24E-300 is highly
|
||||||
|
//unlikely and therefore highly anomalous.
|
||||||
|
|
||||||
`result_type`::
|
`result_type`::
|
||||||
TBD. For example, "influencer".
|
(++) TBD. For example, "influencer".
|
||||||
|
|
||||||
//TBD: How is this different from the "bucket_influencer" type?
|
//TBD: How is this different from the "bucket_influencer" type?
|
||||||
|
|
||||||
`sequence_num`::
|
`sequence_num`::
|
||||||
`TBD. For example, 2.
|
(++) TBD. For example, 2.
|
||||||
|
|
||||||
`timestamp`::
|
`timestamp`::
|
||||||
TBD. For example, 1454943900000.
|
(+date+) Influencers are produced in buckets. This value is the start time
|
||||||
|
of the bucket, specified in ISO 8601 format. For example, 1454943900000.
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
[[ml-results-buckets]]
|
[[ml-results-buckets]]
|
||||||
|
|
|
@ -1,18 +1,54 @@
|
||||||
[[ml-revert-snapshot]]
|
[[ml-revert-snapshot]]
|
||||||
==== Update Model Snapshots
|
==== Revert Model Snapshots
|
||||||
|
|
||||||
The update model snapshot API allows you to update certain properties of a snapshot.
|
The revert model snapshot API allows you to revert to a specific snapshot.
|
||||||
|
|
||||||
===== Request
|
===== Request
|
||||||
|
|
||||||
`POST _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>/_update`
|
`POST _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>/_revert`
|
||||||
|
|
||||||
|
|
||||||
////
|
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
Important:: Updates do not take effect until after then job is closed and new
|
The {ml} feature in {xpack} reacts quickly to anomalous input, learning new behaviors in data.
|
||||||
data is sent to it.
|
Highly anomalous input increases the variance in the models whilst the system learns
|
||||||
|
whether this is a new step-change in behavior or a one-off event. In the case
|
||||||
|
where this anomalous input is known to be a one-off, then it might be appropriate
|
||||||
|
to reset the model state to a time before this event. For example, you might
|
||||||
|
consider reverting to a saved snapshot after Black Friday
|
||||||
|
or a critical system failure.
|
||||||
|
|
||||||
////
|
////
|
||||||
|
To revert to a saved snapshot, you must follow this sequence:
|
||||||
|
. Close the job
|
||||||
|
. Revert to a snapshot
|
||||||
|
. Open the job
|
||||||
|
. Send new data to the job
|
||||||
|
|
||||||
|
When reverting to a snapshot, there is a choice to make about whether or not
|
||||||
|
you want to keep the results that were created between the time of the snapshot
|
||||||
|
and the current time. In the case of Black Friday for instance, you might want
|
||||||
|
to keep the results and carry on processing data from the current time,
|
||||||
|
though without the models learning the one-off behavior and compensating for it.
|
||||||
|
However, say in the event of a critical system failure and you decide to reset
|
||||||
|
and models to a previous known good state and process data from that time,
|
||||||
|
it makes sense to delete the intervening results for the known bad period and
|
||||||
|
resend data from that earlier time.
|
||||||
|
|
||||||
|
Any gaps in data since the snapshot time will be treated as nulls and not modeled.
|
||||||
|
If there is a partial bucket at the end of the snapshot and/or at the beginning
|
||||||
|
of the new input data, then this will be ignored and treated as a gap.
|
||||||
|
|
||||||
|
For jobs with many entities, the model state may be very large.
|
||||||
|
If a model state is several GB, this could take 10-20 mins to revert depending
|
||||||
|
upon machine spec and resources. If this is the case, please ensure this time
|
||||||
|
is planned for.
|
||||||
|
Model size (in bytes) is available as part of the Job Resource Model Size Stats.
|
||||||
|
////
|
||||||
|
IMPORTANT: Before you revert to a saved snapshot, you must close the job.
|
||||||
|
Sending data to a closed job changes its status to `open`, so you must also
|
||||||
|
ensure that you do not expect data imminently.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
`job_id` (required)::
|
`job_id` (required)::
|
||||||
|
@ -23,30 +59,16 @@ data is sent to it.
|
||||||
|
|
||||||
===== Request Body
|
===== Request Body
|
||||||
|
|
||||||
The following properties can be updated after the job is created:
|
`delete_intervening_results`::
|
||||||
|
(+boolean+) If true, deletes the results in the time period between the
|
||||||
|
latest results and the time of the reverted snapshot. It also resets the
|
||||||
|
model to accept records for this time period.
|
||||||
|
|
||||||
TBD
|
NOTE: If you choose not to delete intervening results when reverting a snapshot,
|
||||||
|
the job will not accept input data that is older than the current time.
|
||||||
|
If you want to resend data, then delete the intervening results.
|
||||||
|
|
||||||
////
|
////
|
||||||
`analysis_config`::
|
|
||||||
(+object+) The analysis configuration, which specifies how to analyze the data.
|
|
||||||
See <<ml-analysisconfig, analysis configuration objects>>. In particular, the following properties can be updated: `categorization_filters`, `detector_description`, TBD.
|
|
||||||
|
|
||||||
`analysis_limits`::
|
|
||||||
Optionally specifies runtime limits for the job. See <<ml-apilimits,analysis limits>>.
|
|
||||||
|
|
||||||
[NOTE]
|
|
||||||
* You can update the `analysis_limits` only while the job is closed.
|
|
||||||
* The `model_memory_limit` property value cannot be decreased.
|
|
||||||
* If the `memory_status` property in the `model_size_stats` object has a value of `hard_limit`,
|
|
||||||
increasing the `model_memory_limit` is not recommended.
|
|
||||||
|
|
||||||
`description`::
|
|
||||||
(+string+) An optional description of the job.
|
|
||||||
|
|
||||||
|
|
||||||
This expects data to be sent in JSON format using the POST `_data` API.
|
|
||||||
|
|
||||||
===== Responses
|
===== Responses
|
||||||
|
|
||||||
TBD
|
TBD
|
||||||
|
@ -56,34 +78,49 @@ TBD
|
||||||
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
||||||
412
|
412
|
||||||
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
||||||
|
////
|
||||||
|
|
||||||
===== Examples
|
===== Examples
|
||||||
|
|
||||||
The following example updates the `it-ops-kpi` job:
|
The following example reverts to the `1491856080` snapshot for the
|
||||||
|
`it_ops_new_kpi` job:
|
||||||
|
|
||||||
[source,js]
|
[source,js]
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
PUT _xpack/ml/anomaly_detectors/it-ops-kpi/_update
|
POST
|
||||||
|
_xpack/ml/anomaly_detectors/it_ops_new_kpi/model_snapshots/1491856080/_revert
|
||||||
{
|
{
|
||||||
"description":"New description",
|
"delete_intervening_results": true
|
||||||
"analysis_limits":{
|
|
||||||
"model_memory_limit": 8192
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
// CONSOLE
|
// CONSOLE
|
||||||
// TEST[skip:todo]
|
// TEST[skip:todo]
|
||||||
|
|
||||||
When the job is updated, you receive the following results:
|
When the operation is complete, you receive the following results:
|
||||||
----
|
----
|
||||||
{
|
{
|
||||||
"job_id": "it-ops-kpi",
|
"acknowledged": true,
|
||||||
"description": "New description",
|
"model": {
|
||||||
...
|
"job_id": "it_ops_new_kpi",
|
||||||
"analysis_limits": {
|
"timestamp": 1491856080000,
|
||||||
"model_memory_limit": 8192
|
"description": "State persisted due to job close at 2017-04-10T13:28:00-0700",
|
||||||
...
|
"snapshot_id": "1491856080",
|
||||||
|
"snapshot_doc_count": 1,
|
||||||
|
"model_size_stats": {
|
||||||
|
"job_id": "it_ops_new_kpi",
|
||||||
|
"result_type": "model_size_stats",
|
||||||
|
"model_bytes": 29518,
|
||||||
|
"total_by_field_count": 3,
|
||||||
|
"total_over_field_count": 0,
|
||||||
|
"total_partition_field_count": 2,
|
||||||
|
"bucket_allocation_failures_count": 0,
|
||||||
|
"memory_status": "ok",
|
||||||
|
"log_time": 1491856080000,
|
||||||
|
"timestamp": 1455318000000
|
||||||
|
},
|
||||||
|
"latest_record_time_stamp": 1455318669000,
|
||||||
|
"latest_result_time_stamp": 1455318000000,
|
||||||
|
"retain": false
|
||||||
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
////
|
|
||||||
|
|
|
@ -1,10 +1,82 @@
|
||||||
[[ml-snapshot-resource]]
|
[[ml-snapshot-resource]]
|
||||||
==== Model Snapshot Resources
|
==== Model Snapshot Resources
|
||||||
|
|
||||||
|
////
|
||||||
|
Model snapshots are saved to disk periodically.
|
||||||
|
By default, this is occurs approximately every 3 hours.
|
||||||
|
//TBD: Can you change this setting?
|
||||||
|
|
||||||
|
By default, model snapshots are retained for one day. You can change this
|
||||||
|
behavior with by updating the `model_snapshot_retention_days` for the job.
|
||||||
|
When choosing a new value, consider the following:
|
||||||
|
|
||||||
|
* Persistence enables resilience in the event of a system failure.
|
||||||
|
* Persistence allows for snapshots to be reverted.
|
||||||
|
* The time taken to persist a job is proportional to the size of the model in memory.
|
||||||
|
//* The smallest allowed value is 3600 (1 hour).
|
||||||
|
////
|
||||||
|
|
||||||
A model snapshot resource has the following properties:
|
A model snapshot resource has the following properties:
|
||||||
|
|
||||||
TBD
|
`description`::
|
||||||
////
|
(+string+) An optional description of the job.
|
||||||
`analysis_config`::
|
|
||||||
(+object+) The analysis configuration, which specifies how to analyze the data. See <<ml-analysisconfig, analysis configuration objects>>.
|
`job_id`::
|
||||||
////
|
(+string+) A numerical character string that uniquely identifies the job.
|
||||||
|
|
||||||
|
`latest_record_time_stamp`::
|
||||||
|
(++) TBD. For example: 1455232663000.
|
||||||
|
|
||||||
|
`latest_result_time_stamp`::
|
||||||
|
(++) TBD. For example: 1455229800000.
|
||||||
|
|
||||||
|
`model_size_stats`::
|
||||||
|
(+object+) TBD.
|
||||||
|
|
||||||
|
`retain`::
|
||||||
|
(+boolean+) TBD. For example: false.
|
||||||
|
|
||||||
|
`snapshot_id`::
|
||||||
|
(+string+) A numerical character string that uniquely identifies the model
|
||||||
|
snapshot. For example: "1491852978".
|
||||||
|
|
||||||
|
`snapshot_doc_count`::
|
||||||
|
(++) TBD. For example: 1.
|
||||||
|
|
||||||
|
`timestamp`::
|
||||||
|
(+date+) The creation timestamp for the snapshot, specified in ISO 8601 format.
|
||||||
|
For example: 1491852978000.
|
||||||
|
|
||||||
|
===== Model Size Statistics
|
||||||
|
|
||||||
|
The `model_size_stats` object has the following properties:
|
||||||
|
|
||||||
|
`bucket_allocation_failures_count`::
|
||||||
|
(++) TBD. For example: 0.
|
||||||
|
|
||||||
|
`job_id`::
|
||||||
|
(+string+) A numerical character string that uniquely identifies the job.
|
||||||
|
|
||||||
|
`log_time`::
|
||||||
|
(++) TBD. For example: 1491852978000.
|
||||||
|
|
||||||
|
`memory_status`::
|
||||||
|
(++) TBD. For example: "ok".
|
||||||
|
|
||||||
|
`model_bytes`::
|
||||||
|
(++) TBD. For example: 100393.
|
||||||
|
|
||||||
|
`result_type`::
|
||||||
|
(++) TBD. For example: "model_size_stats".
|
||||||
|
|
||||||
|
`timestamp`::
|
||||||
|
(++) TBD. For example: 1455229800000.
|
||||||
|
|
||||||
|
`total_by_field_count`::
|
||||||
|
(++) TBD. For example: 13.
|
||||||
|
|
||||||
|
`total_over_field_count`::
|
||||||
|
(++) TBD. For example: 0.
|
||||||
|
|
||||||
|
`total_partition_field_count`::
|
||||||
|
(++) TBD. For example: 2.
|
||||||
|
|
|
@ -7,12 +7,14 @@ The update model snapshot API allows you to update certain properties of a snaps
|
||||||
|
|
||||||
`POST _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>/_update`
|
`POST _xpack/ml/anomaly_detectors/<job_id>/model_snapshots/<snapshot_id>/_update`
|
||||||
|
|
||||||
////
|
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
Important:: Updates do not take effect until after then job is closed and new
|
//TBD. Is the following still true?
|
||||||
data is sent to it.
|
|
||||||
////
|
Updates to the configuration are only applied after the job has been closed
|
||||||
|
and new data has been sent to it.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
`job_id` (required)::
|
`job_id` (required)::
|
||||||
|
@ -23,30 +25,15 @@ data is sent to it.
|
||||||
|
|
||||||
===== Request Body
|
===== Request Body
|
||||||
|
|
||||||
The following properties can be updated after the job is created:
|
The following properties can be updated after the model snapshot is created:
|
||||||
|
|
||||||
TBD
|
|
||||||
|
|
||||||
////
|
|
||||||
`analysis_config`::
|
|
||||||
(+object+) The analysis configuration, which specifies how to analyze the data.
|
|
||||||
See <<ml-analysisconfig, analysis configuration objects>>. In particular, the following properties can be updated: `categorization_filters`, `detector_description`, TBD.
|
|
||||||
|
|
||||||
`analysis_limits`::
|
|
||||||
Optionally specifies runtime limits for the job. See <<ml-apilimits,analysis limits>>.
|
|
||||||
|
|
||||||
[NOTE]
|
|
||||||
* You can update the `analysis_limits` only while the job is closed.
|
|
||||||
* The `model_memory_limit` property value cannot be decreased.
|
|
||||||
* If the `memory_status` property in the `model_size_stats` object has a value of `hard_limit`,
|
|
||||||
increasing the `model_memory_limit` is not recommended.
|
|
||||||
|
|
||||||
`description`::
|
`description`::
|
||||||
(+string+) An optional description of the job.
|
(+string+) An optional description of the model snapshot.
|
||||||
|
|
||||||
|
`retain`::
|
||||||
|
(+boolean+) TBD.
|
||||||
|
|
||||||
This expects data to be sent in JSON format using the POST `_data` API.
|
////
|
||||||
|
|
||||||
===== Responses
|
===== Responses
|
||||||
|
|
||||||
TBD
|
TBD
|
||||||
|
@ -56,34 +43,34 @@ TBD
|
||||||
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
(BasicFailedReply) The cluster specified by {cluster_id} cannot be found (code: clusters.cluster_not_found)
|
||||||
412
|
412
|
||||||
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
(BasicFailedReply) The Elasticsearch cluster has not been shutdown yet (code: clusters.cluster_plan_state_error)
|
||||||
|
////
|
||||||
|
|
||||||
===== Examples
|
===== Examples
|
||||||
|
|
||||||
The following example updates the `it-ops-kpi` job:
|
The following example updates the snapshot identified as `1491852978`:
|
||||||
|
|
||||||
[source,js]
|
[source,js]
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
PUT _xpack/ml/anomaly_detectors/it-ops-kpi/_update
|
POST
|
||||||
|
_xpack/ml/anomaly_detectors/it_ops_new_logs/model_snapshots/1491852978/_update
|
||||||
{
|
{
|
||||||
"description":"New description",
|
"description": "Snapshot 1",
|
||||||
"analysis_limits":{
|
"retain": true
|
||||||
"model_memory_limit": 8192
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
// CONSOLE
|
// CONSOLE
|
||||||
// TEST[skip:todo]
|
// TEST[skip:todo]
|
||||||
|
|
||||||
When the job is updated, you receive the following results:
|
When the snapshot is updated, you receive the following results:
|
||||||
----
|
----
|
||||||
{
|
{
|
||||||
"job_id": "it-ops-kpi",
|
"acknowledged": true,
|
||||||
"description": "New description",
|
"model": {
|
||||||
...
|
"job_id": "it_ops_new_logs",
|
||||||
"analysis_limits": {
|
"timestamp": 1491852978000,
|
||||||
"model_memory_limit": 8192
|
"description": "Snapshot 1",
|
||||||
...
|
...
|
||||||
|
"retain": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
////
|
|
||||||
|
|
Loading…
Reference in New Issue