[role="xpack"] [testenv="platinum"] [[ml-get-influencer]] === Get influencers API ++++ Get influencers ++++ Retrieves {anomaly-job} results for one or more influencers. [[ml-get-influencer-request]] ==== {api-request-title} `GET _ml/anomaly_detectors//results/influencers` [[ml-get-influencer-prereqs]] ==== {api-prereq-title} * If the {es} {security-features} are enabled, you must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also need `read` index privilege on the index that stores the results. The `machine_learning_admin` and `machine_learning_user` roles provide these privileges. See <> and <>. [[ml-get-influencer-desc]] ==== {api-description-title} Influencers are the entities that have contributed to, or are to blame for, the anomalies. Influencer results are available only if an `influencer_field_name` is specified in the job configuration. [[ml-get-influencer-path-parms]] ==== {api-path-parms-title} ``:: (Required, string) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection] [[ml-get-influencer-request-body]] ==== {api-request-body-title} `desc`:: (Optional, boolean) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=desc-results] `end`:: (Optional, string) Returns influencers with timestamps earlier than this time. `exclude_interim`:: (Optional, boolean) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=exclude-interim-results] `influencer_score`:: (Optional, double) Returns influencers with anomaly scores greater than or equal to this value. `page`.`from`:: (Optional, integer) Skips the specified number of influencers. `page`.`size`:: (Optional, integer) Specifies the maximum number of influencers to obtain. `sort`:: (Optional, string) Specifies the sort field for the requested influencers. By default, the influencers are sorted by the `influencer_score` value. `start`:: (Optional, string) Returns influencers with timestamps after this time. [[ml-get-influencer-results]] ==== {api-response-body-title} The API returns an array of influencer objects, which have the following properties: `bucket_span`:: (number) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=bucket-span-results] `influencer_score`:: (number) A normalized score between 0-100, which is based on the probability of the influencer in this bucket aggregated across detectors. Unlike `initial_influencer_score`, this value will be updated by a re-normalization process as new data is analyzed. `influencer_field_name`:: (string) The field name of the influencer. `influencer_field_value`:: (string) The entity that influenced, contributed to, or was to blame for the anomaly. `initial_influencer_score`:: (number) A normalized score between 0-100, which is based on the probability of the influencer aggregated across detectors. This is the initial value that was calculated at the time the bucket was processed. `is_interim`:: (boolean) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim] `job_id`:: (string) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection] `probability`:: (number) The probability that the influencer has this behavior, in the range 0 to 1. This value can be held to a high precision of over 300 decimal places, so the `influencer_score` is provided as a human-readable and friendly interpretation of this. `result_type`:: (string) Internal. This value is always set to `influencer`. `timestamp`:: (date) include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results] NOTE: Additional influencer properties are added, depending on the fields being analyzed. For example, if it's analyzing `user_name` as an influencer, then a field `user_name` is added to the result document. This information enables you to filter the anomaly results more easily. [[ml-get-influencer-example]] ==== {api-examples-title} [source,console] -------------------------------------------------- GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers { "sort": "influencer_score", "desc": true } -------------------------------------------------- // TEST[skip:Kibana sample data] In this example, the API returns the following information, sorted based on the influencer score in descending order: [source,js] ---- { "count": 189, "influencers": [ { "job_id": "high_sum_total_sales", "result_type": "influencer", "influencer_field_name": "customer_full_name.keyword", "influencer_field_value": "Wagdi Shaw", "customer_full_name.keyword" : "Wagdi Shaw", "influencer_score": 99.02493, "initial_influencer_score" : 94.67233079580171, "probability" : 1.4784807245686567E-10, "bucket_span" : 3600, "is_interim" : false, "timestamp" : 1574661600000 }, ... ] } ----