diff --git a/docs/en/ml/getting-started-multi.asciidoc b/docs/en/ml/getting-started-multi.asciidoc index a9d89efd07a..2cf745230af 100644 --- a/docs/en/ml/getting-started-multi.asciidoc +++ b/docs/en/ml/getting-started-multi.asciidoc @@ -213,6 +213,12 @@ typical and actual values and the influencers that contributed to the anomaly. image::images/ml-gs-job2-explorer-table.jpg["Job results table"] Notice that there are anomalies for both detectors, that is to say for both the -`high_mean(response)` and the `sum(total)` metrics in this time interval. By +`high_mean(response)` and the `sum(total)` metrics in this time interval. The +table aggregates the anomalies to show the highest severity anomaly per detector +and entity, which is the by, over, or partition field value that is displayed +in the **found for** column. To view all the anomalies without any aggregation, +set the **Interval** to `Show all`. + +By investigating multiple metrics in a single job, you might see relationships between events in your data that would otherwise be overlooked. diff --git a/docs/en/ml/getting-started.asciidoc b/docs/en/ml/getting-started.asciidoc index 9d9660dd8d4..978d9984d47 100644 --- a/docs/en/ml/getting-started.asciidoc +++ b/docs/en/ml/getting-started.asciidoc @@ -629,10 +629,21 @@ of the viewer. For example: [role="screenshot"] image::images/ml-gs-job1-anomalies.jpg["Single Metric Viewer Anomalies for total-requests job"] - For each anomaly you can see key details such as the time, the actual and expected ("typical") values, and their probability. +By default, the table contains all anomalies that have a severity of "warning" +or higher in the selected section of the timeline. If you are only interested in +critical anomalies, for example, you can change the severity threshold for this +table. + +The anomalies table also automatically calculates an interval for the data in +the table. If the time difference between the earliest and latest records in the +table is less than two days, the data is aggregated by hour to show the details +of the highest severity anomaly for each detector. Otherwise, it is +aggregated by day. You can change the interval for the table, for example, to +show all anomalies. + You can see the same information in a different format by using the **Anomaly Explorer**: [role="screenshot"]