[DOCS] Describe severity threshold and interval in anomaly table (elastic/x-pack-elasticsearch#2266)

* [DOCS] Describe severity threshold and interval in anomaly table

* [DOCS] Describe aggregation in anomaly table

* [DOCS] Fixed capitalization in ML getting started

Original commit: elastic/x-pack-elasticsearch@d4224c9fe8
This commit is contained in:
Lisa Cawley 2017-08-17 12:56:58 -07:00 committed by GitHub
parent e97b6dcc47
commit 8e7bd27186
2 changed files with 19 additions and 2 deletions

View File

@ -213,6 +213,12 @@ typical and actual values and the influencers that contributed to the anomaly.
image::images/ml-gs-job2-explorer-table.jpg["Job results table"]
Notice that there are anomalies for both detectors, that is to say for both the
`high_mean(response)` and the `sum(total)` metrics in this time interval. By
`high_mean(response)` and the `sum(total)` metrics in this time interval. The
table aggregates the anomalies to show the highest severity anomaly per detector
and entity, which is the by, over, or partition field value that is displayed
in the **found for** column. To view all the anomalies without any aggregation,
set the **Interval** to `Show all`.
By
investigating multiple metrics in a single job, you might see relationships
between events in your data that would otherwise be overlooked.

View File

@ -629,10 +629,21 @@ of the viewer. For example:
[role="screenshot"]
image::images/ml-gs-job1-anomalies.jpg["Single Metric Viewer Anomalies for total-requests job"]
For each anomaly you can see key details such as the time, the actual and
expected ("typical") values, and their probability.
By default, the table contains all anomalies that have a severity of "warning"
or higher in the selected section of the timeline. If you are only interested in
critical anomalies, for example, you can change the severity threshold for this
table.
The anomalies table also automatically calculates an interval for the data in
the table. If the time difference between the earliest and latest records in the
table is less than two days, the data is aggregated by hour to show the details
of the highest severity anomaly for each detector. Otherwise, it is
aggregated by day. You can change the interval for the table, for example, to
show all anomalies.
You can see the same information in a different format by using the
**Anomaly Explorer**:
[role="screenshot"]