Original commit: elastic/x-pack-elasticsearch@84f8b4b9bd
This commit is contained in:
Lisa Cawley 2017-04-24 10:46:17 -07:00 committed by lcawley
parent ee59f18d42
commit af47002654
14 changed files with 76 additions and 85 deletions

View File

@ -39,15 +39,16 @@ roles provide these privileges. For more information, see
`end`:: `end`::
(string) Returns buckets with timestamps earlier than this time. (string) Returns buckets with timestamps earlier than this time.
`exclude_interim`::
(boolean) If true, the output excludes interim results.
By default, interim results are included.
`expand`:: `expand`::
(boolean) If true, the output includes anomaly records. (boolean) If true, the output includes anomaly records.
`from`:: `from`::
(integer) Skips the specified number of buckets. (integer) Skips the specified number of buckets.
`exclude_interim`::
(boolean) If true, the output excludes interim results. These are included by default.
`size`:: `size`::
(integer) Specifies the maximum number of buckets to obtain. (integer) Specifies the maximum number of buckets to obtain.

View File

@ -23,7 +23,8 @@ privileges to use this API. For more information, see <<privileges-list-cluster>
`feed_id`:: `feed_id`::
(string) Identifier for the data feed. (string) Identifier for the data feed.
Does not support wildcards, however you may specify `_all` to get information about all data feeds. This parameter does not support wildcards, but you can specify `_all` or
omit the `feed_id` to get information about all data feeds.
===== Results ===== Results

View File

@ -22,7 +22,8 @@ privileges to use this API. For more information, see <<privileges-list-cluster>
`feed_id`:: `feed_id`::
(string) Identifier for the data feed. (string) Identifier for the data feed.
Does not support wildcards, however you may specify `_all` or leave blank to get information about all data feeds. This parameter does not support wildcards, but you can specify `_all` or
omit the `feed_id` to get information about all data feeds.
===== Results ===== Results

View File

@ -31,12 +31,14 @@ roles provide these privileges. For more information, see
`end`:: `end`::
(string) Returns influencers with timestamps earlier than this time. (string) Returns influencers with timestamps earlier than this time.
`exclude_interim`::
(boolean) If true, the output excludes interim results.
By default, interim results are included.
`from`:: `from`::
(integer) Skips the specified number of influencers. (integer) Skips the specified number of influencers.
`exclude_interim`::
(boolean) If true, the output excludes interim results. These are included by default.
`influencer_score`:: `influencer_score`::
(double) Returns influencers with anomaly scores higher than this value. (double) Returns influencers with anomaly scores higher than this value.

View File

@ -20,7 +20,8 @@ privileges to use this API. For more information, see <<privileges-list-cluster>
`job_id`:: `job_id`::
(string) A required identifier for the job. (string) A required identifier for the job.
Does not support wildcards, however you may specify `_all` to get information about all jobs. This parameter does not support wildcards, but you can specify `_all` or omit
the `job_id` to get information about all jobs.
===== Results ===== Results

View File

@ -20,7 +20,8 @@ privileges to use this API. For more information, see <<privileges-list-cluster>
`job_id`:: `job_id`::
(string) Identifier for the job. (string) Identifier for the job.
Does not support wildcards, however you may specify `_all` or leave blank to get information about all jobs. This parameter does not support wildcards, but you can specify `_all` or omit
the `job_id` to get information about all jobs.
===== Results ===== Results

View File

@ -30,12 +30,13 @@ roles provide these privileges. For more information, see
`end`:: `end`::
(string) Returns records with timestamps earlier than this time. (string) Returns records with timestamps earlier than this time.
`exclude_interim`::
(boolean) If true, the output excludes interim results.
By default, interim results are included.
`from`:: `from`::
(integer) Skips the specified number of records. (integer) Skips the specified number of records.
`exclude_interim`::
(boolean) If true, the output excludes interim results. These are included by default.
`record_score`:: `record_score`::
(double) Returns records with anomaly scores higher than this value. (double) Returns records with anomaly scores higher than this value.

View File

@ -96,14 +96,11 @@ or old results are deleted, the job counts are not reset.
configured to analyze. Records with missing fields are still processed because configured to analyze. Records with missing fields are still processed because
it is possible that not all fields are missing. The value of it is possible that not all fields are missing. The value of
`processed_record_count` includes this count. + `processed_record_count` includes this count. +
+
--
NOTE: If you are using data feeds or posting data to the job in JSON format, a NOTE: If you are using data feeds or posting data to the job in JSON format, a
high `missing_field_count` is often not an indication of data issues. It is not high `missing_field_count` is often not an indication of data issues. It is not
necessarily a cause for concern. necessarily a cause for concern.
--
`out_of_order_timestamp_count`:: `out_of_order_timestamp_count`::
(long) The number of records that are out of time sequence and (long) The number of records that are out of time sequence and
outside of the latency window. This information is applicable only when outside of the latency window. This information is applicable only when
@ -171,19 +168,13 @@ The `model_size_stats` object has the following properties:
`total_by_field_count`:: `total_by_field_count`::
(long) The number of `by` field values that were analyzed by the models. (long) The number of `by` field values that were analyzed by the models.
+
--
NOTE: The `by` field values are counted separately for each detector and partition.
-- NOTE: The `by` field values are counted separately for each detector and partition.
`total_over_field_count`:: `total_over_field_count`::
(long) The number of `over` field values that were analyzed by the models. (long) The number of `over` field values that were analyzed by the models.
+
--
NOTE: The `over` field values are counted separately for each detector and partition.
-- NOTE: The `over` field values are counted separately for each detector and partition.
`total_partition_field_count`:: `total_partition_field_count`::
(long) The number of `partition` field values that were analyzed by the models. (long) The number of `partition` field values that were analyzed by the models.

View File

@ -15,9 +15,12 @@ A job resource has the following properties:
`background_persist_interval`:: `background_persist_interval`::
(time units) Advanced configuration option. (time units) Advanced configuration option.
The time between each periodic persistence of the model. The time between each periodic persistence of the model.
The default value is a randomized value between 3 to 4 hours which avoid all jobs persisting at exactly the same time. The default value is a randomized value between 3 to 4 hours, which avoids
For very large models (several GB), persistence could take 10-20 minutes, so please do not set this value too low. all jobs persisting at exactly the same time. The smallest allowed value is
The smallest allowed value is 1 hour. 1 hour. +
TIP: For very large models (several GB), persistence could take 10-20 minutes,
so do not set the `background_persist_interval` value too low.
`create_time`:: `create_time`::
(string) The time the job was created, in ISO 8601 format. (string) The time the job was created, in ISO 8601 format.
@ -65,8 +68,9 @@ A job resource has the following properties:
`results_retention_days`:: `results_retention_days`::
(long) Advanced configuration option. (long) Advanced configuration option.
The number of days for which job results are retained. The number of days for which job results are retained.
Once per day at 00:30 (server time), results older than this period will be deleted from Elasticsearch. Once per day at 00:30 (server time), results older than this period are
The default value is null, i.e. results are retained. deleted from Elasticsearch. The default value is null, which means results
are retained.
[[ml-analysisconfig]] [[ml-analysisconfig]]
===== Analysis Configuration Objects ===== Analysis Configuration Objects
@ -95,12 +99,10 @@ An analysis configuration object has the following properties:
(array) An array of detector configuration objects, (array) An array of detector configuration objects,
which describe the anomaly detectors that are used in the job. which describe the anomaly detectors that are used in the job.
See <<ml-detectorconfig,detector configuration objects>>. + See <<ml-detectorconfig,detector configuration objects>>. +
+
--
NOTE: If the `detectors` array does not contain at least one detector, no analysis can occur
and an error is returned.
-- NOTE: If the `detectors` array does not contain at least one detector,
no analysis can occur and an error is returned.
`influencers`:: `influencers`::
(array of strings) A comma separated list of influencer field names. (array of strings) A comma separated list of influencer field names.
Typically these can be the by, over, or partition fields that are used in the Typically these can be the by, over, or partition fields that are used in the
@ -112,12 +114,10 @@ and an error is returned.
`latency`:: `latency`::
(unsigned integer) The size of the window, in seconds, in which to expect data (unsigned integer) The size of the window, in seconds, in which to expect data
that is out of time order. The default value is 0 (no latency). + that is out of time order. The default value is 0 (no latency). +
+
--
NOTE: Latency is only applicable when you send data by using NOTE: Latency is only applicable when you send data by using
the <<ml-post-data,post data>> API. the <<ml-post-data,post data>> API.
--
`multivariate_by_fields`:: `multivariate_by_fields`::
(boolean) If set to `true`, the analysis will automatically find correlations (boolean) If set to `true`, the analysis will automatically find correlations
between metrics for a given `by` field value and report anomalies when those between metrics for a given `by` field value and report anomalies when those
@ -126,24 +126,20 @@ the <<ml-post-data,post data>> API.
correlation occurs because they are running a load-balanced application. correlation occurs because they are running a load-balanced application.
If you enable this property, then anomalies will be reported when, for example, If you enable this property, then anomalies will be reported when, for example,
CPU usage on host A is high and the value of CPU usage on host B is low. CPU usage on host A is high and the value of CPU usage on host B is low.
That is to say, you'll see an anomaly when the CPU of host A is unusual given the CPU of host B. + That is to say, you'll see an anomaly when the CPU of host A is unusual given
+ the CPU of host B. +
--
NOTE: To use the `multivariate_by_fields` property, you must also specify NOTE: To use the `multivariate_by_fields` property, you must also specify
`by_field_name` in your detector. `by_field_name` in your detector.
--
`summary_count_field_name`:: `summary_count_field_name`::
(string) If not null, the data fed to the job is expected to be pre-summarized. (string) If not null, the data fed to the job is expected to be pre-summarized.
This property value is the name of the field that contains the count of raw This property value is the name of the field that contains the count of raw
data points that have been summarized. The same `summary_count_field_name` data points that have been summarized. The same `summary_count_field_name`
applies to all detectors in the job. + applies to all detectors in the job. +
+
--
NOTE: The `summary_count_field_name` property cannot be used with the `metric` function.
-- NOTE: The `summary_count_field_name` property cannot be used with the `metric`
function.
//// ////
LEAVE UNDOCUMENTED LEAVE UNDOCUMENTED
@ -181,11 +177,8 @@ Each detector has the following properties:
`field_name`:: `field_name`::
(string) The field that the detector uses in the function. If you use an event rate (string) The field that the detector uses in the function. If you use an event rate
function such as `count` or `rare`, do not specify this field. + function such as `count` or `rare`, do not specify this field. +
+
--
NOTE: The `field_name` cannot contain double quotes or backslashes.
-- NOTE: The `field_name` cannot contain double quotes or backslashes.
`function` (required):: `function` (required)::
(string) The analysis function that is used. (string) The analysis function that is used.
@ -203,13 +196,10 @@ NOTE: The `field_name` cannot contain double quotes or backslashes.
`use_null`:: `use_null`::
(boolean) Defines whether a new series is used as the null series (boolean) Defines whether a new series is used as the null series
when there is no value for the by or partition fields. The default value is `false`. + when there is no value for the by or partition fields. The default value is `false`. +
+
--
IMPORTANT: Field names are case sensitive, for example a field named 'Bytes' IMPORTANT: Field names are case sensitive, for example a field named 'Bytes'
is different from one named 'bytes'. is different from one named 'bytes'.
--
//// ////
LEAVE UNDOCUMENTED LEAVE UNDOCUMENTED
`detector_rules`:: `detector_rules`::
@ -242,16 +232,13 @@ A data description object has the following properties:
since 1 Jan 1970). since 1 Jan 1970).
The value `epoch_ms` indicates that time is measured in milliseconds since the epoch. The value `epoch_ms` indicates that time is measured in milliseconds since the epoch.
The `epoch` and `epoch_ms` time formats accept either integer or real values. + The `epoch` and `epoch_ms` time formats accept either integer or real values. +
+
--
NOTE: Custom patterns must conform to the Java `DateTimeFormatter` class. NOTE: Custom patterns must conform to the Java `DateTimeFormatter` class.
When you use date-time formatting patterns, it is recommended that you provide When you use date-time formatting patterns, it is recommended that you provide
the full date, time and time zone. For example: `yyyy-MM-dd'T'HH:mm:ssX`. the full date, time and time zone. For example: `yyyy-MM-dd'T'HH:mm:ssX`.
If the pattern that you specify is not sufficient to produce a complete timestamp, If the pattern that you specify is not sufficient to produce a complete timestamp,
job creation fails. job creation fails.
--
[float] [float]
[[ml-apilimits]] [[ml-apilimits]]
@ -269,11 +256,8 @@ The `analysis_limits` object has the following properties:
in the results data store. The default value is 4. If you increase this value, in the results data store. The default value is 4. If you increase this value,
more examples are available, however it requires that you have more storage available. more examples are available, however it requires that you have more storage available.
If you set this value to `0`, no examples are stored. + If you set this value to `0`, no examples are stored. +
+
--
NOTE: The `categorization_examples_limit` only applies to analysis that uses categorization.
-- NOTE: The `categorization_examples_limit` only applies to analysis that uses categorization.
`model_memory_limit`:: `model_memory_limit`::
(long) The maximum amount of memory, in MiB, that the mathematical models can use. (long) The maximum amount of memory, in MiB, that the mathematical models can use.

View File

@ -11,8 +11,9 @@ The preview data feed API enables you to preview a data feed.
===== Description ===== Description
The API returns the first "page" of results from the `search` created using the current data feed settings. The API returns the first "page" of results from the `search` that is created
This shows the structure of the data that will be passed to the anomaly detection engine. by using the current data feed settings. This preview shows the structure of
the data that will be passed to the anomaly detection engine.
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. For more information, see <<privileges-list-cluster>>. privileges to use this API. For more information, see <<privileges-list-cluster>>.

View File

@ -313,12 +313,10 @@ A bucket resource has the following properties:
`timestamp`:: `timestamp`::
(date) The start time of the bucket, specified in ISO 8601 format. (date) The start time of the bucket, specified in ISO 8601 format.
For example, 1454020800000. This timestamp uniquely identifies the bucket. + For example, 1454020800000. This timestamp uniquely identifies the bucket. +
+
--
NOTE: Events that occur exactly at the timestamp of the bucket are included in NOTE: Events that occur exactly at the timestamp of the bucket are included in
the results for the bucket. the results for the bucket.
--
[float] [float]
[[ml-results-categories]] [[ml-results-categories]]

View File

@ -3,7 +3,8 @@
==== Model Snapshot Resources ==== Model Snapshot Resources
Model snapshots are saved to disk periodically. Model snapshots are saved to disk periodically.
By default, this is occurs approximately every 3 hours to 4 hours and is configurable using the setting `background_persist_interval`. By default, this is occurs approximately every 3 hours to 4 hours and is
configurable with the `background_persist_interval` property.
By default, model snapshots are retained for one day. You can change this By default, model snapshots are retained for one day. You can change this
behavior by updating the `model_snapshot_retention_days` for the job. behavior by updating the `model_snapshot_retention_days` for the job.

View File

@ -26,16 +26,22 @@ The following properties can be updated after the job is created:
`analysis_config`:: `analysis_config`::
(object) The analysis configuration, which specifies how to analyze the data. (object) The analysis configuration, which specifies how to analyze the data.
See <<ml-analysisconfig, analysis configuration objects>>. In particular, the following properties can be updated: `categorization_filters`, `detector_description`, TBD. See <<ml-analysisconfig, analysis configuration objects>>. In particular,
the following properties can be updated: `categorization_filters`,
`detector_description`, TBD.
`analysis_limits`:: `analysis_limits`::
(object) Specifies runtime limits for the job. (object) Specifies runtime limits for the job.
See <<ml-apilimits,analysis limits>>. NOTE: See <<ml-apilimits,analysis limits>>.
[NOTE]
--
* You can update the `analysis_limits` only while the job is closed. * You can update the `analysis_limits` only while the job is closed.
* The `model_memory_limit` property value cannot be decreased. * The `model_memory_limit` property value cannot be decreased.
* If the `memory_status` property in the `model_size_stats` object has a value of `hard_limit`, * If the `memory_status` property in the `model_size_stats` object has a value
this means that it was unable to process some data. You may wish to re-run this job of `hard_limit`, this means that it was unable to process some data. You might
with an increased `model_memory_limit`. want to re-run this job with an increased `model_memory_limit`.
--
`description`:: `description`::
(string) An optional description of the job. (string) An optional description of the job.

View File

@ -32,10 +32,12 @@ For more information, see <<privileges-list-cluster>>.
The following properties can be updated after the model snapshot is created: The following properties can be updated after the model snapshot is created:
`description`:: `description`::
(string) An optional description of the model snapshot. E.g. "Before black friday" (string) An optional description of the model snapshot. For example,
"Before black friday".
`retain`:: `retain`::
(boolean) If true, this snapshot will not be deleted during automatic cleanup of snapshots older than `model_snapshot_retention_days`. (boolean) If true, this snapshot will not be deleted during automatic cleanup
of snapshots older than `model_snapshot_retention_days`.
Note that this snapshot will still be deleted when the job is deleted. Note that this snapshot will still be deleted when the job is deleted.
The default value is false. The default value is false.