162 lines
4.8 KiB
Plaintext
162 lines
4.8 KiB
Plaintext
[role="xpack"]
|
|
[testenv="platinum"]
|
|
[[ml-get-influencer]]
|
|
= Get influencers API
|
|
++++
|
|
<titleabbrev>Get influencers</titleabbrev>
|
|
++++
|
|
|
|
Retrieves {anomaly-job} results for one or more influencers.
|
|
|
|
[[ml-get-influencer-request]]
|
|
== {api-request-title}
|
|
|
|
`GET _ml/anomaly_detectors/<job_id>/results/influencers`
|
|
|
|
[[ml-get-influencer-prereqs]]
|
|
== {api-prereq-title}
|
|
|
|
* If the {es} {security-features} are enabled, you must have `monitor_ml`,
|
|
`monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also
|
|
need `read` index privilege on the index that stores the results. The
|
|
`machine_learning_admin` and `machine_learning_user` roles provide these
|
|
privileges. See <<security-privileges>>, <<built-in-roles>>, and
|
|
{ml-docs-setup-privileges}.
|
|
|
|
[[ml-get-influencer-desc]]
|
|
== {api-description-title}
|
|
|
|
Influencers are the entities that have contributed to, or are to blame for,
|
|
the anomalies. Influencer results are available only if an
|
|
`influencer_field_name` is specified in the job configuration.
|
|
|
|
[[ml-get-influencer-path-parms]]
|
|
== {api-path-parms-title}
|
|
|
|
`<job_id>`::
|
|
(Required, string)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
|
|
|
|
[[ml-get-influencer-request-body]]
|
|
== {api-request-body-title}
|
|
|
|
`desc`::
|
|
(Optional, Boolean)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=desc-results]
|
|
|
|
`end`::
|
|
(Optional, string) Returns influencers with timestamps earlier than this time.
|
|
|
|
`exclude_interim`::
|
|
(Optional, Boolean)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=exclude-interim-results]
|
|
|
|
`influencer_score`::
|
|
(Optional, double) Returns influencers with anomaly scores greater than or equal
|
|
to this value.
|
|
|
|
`page`.`from`::
|
|
(Optional, integer) Skips the specified number of influencers.
|
|
|
|
`page`.`size`::
|
|
(Optional, integer) Specifies the maximum number of influencers to obtain.
|
|
|
|
`sort`::
|
|
(Optional, string) Specifies the sort field for the requested influencers. By
|
|
default, the influencers are sorted by the `influencer_score` value.
|
|
|
|
`start`::
|
|
(Optional, string) Returns influencers with timestamps after this time.
|
|
|
|
[[ml-get-influencer-results]]
|
|
== {api-response-body-title}
|
|
|
|
The API returns an array of influencer objects, which have the following
|
|
properties:
|
|
|
|
`bucket_span`::
|
|
(number)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=bucket-span-results]
|
|
|
|
`influencer_score`::
|
|
(number) A normalized score between 0-100, which is based on the probability of
|
|
the influencer in this bucket aggregated across detectors. Unlike
|
|
`initial_influencer_score`, this value will be updated by a re-normalization
|
|
process as new data is analyzed.
|
|
|
|
`influencer_field_name`::
|
|
(string) The field name of the influencer.
|
|
|
|
`influencer_field_value`::
|
|
(string) The entity that influenced, contributed to, or was to blame for the
|
|
anomaly.
|
|
|
|
`initial_influencer_score`::
|
|
(number) A normalized score between 0-100, which is based on the probability of
|
|
the influencer aggregated across detectors. This is the initial value that was
|
|
calculated at the time the bucket was processed.
|
|
|
|
`is_interim`::
|
|
(Boolean)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim]
|
|
|
|
`job_id`::
|
|
(string)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
|
|
|
|
`probability`::
|
|
(number) The probability that the influencer has this behavior, in the range 0
|
|
to 1. This value can be held to a high precision of over 300 decimal places, so
|
|
the `influencer_score` is provided as a human-readable and friendly
|
|
interpretation of this.
|
|
|
|
`result_type`::
|
|
(string) Internal. This value is always set to `influencer`.
|
|
|
|
`timestamp`::
|
|
(date)
|
|
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results]
|
|
|
|
NOTE: Additional influencer properties are added, depending on the fields being
|
|
analyzed. For example, if it's analyzing `user_name` as an influencer, then a
|
|
field `user_name` is added to the result document. This information enables you to
|
|
filter the anomaly results more easily.
|
|
|
|
[[ml-get-influencer-example]]
|
|
== {api-examples-title}
|
|
|
|
[source,console]
|
|
--------------------------------------------------
|
|
GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers
|
|
{
|
|
"sort": "influencer_score",
|
|
"desc": true
|
|
}
|
|
--------------------------------------------------
|
|
// TEST[skip:Kibana sample data]
|
|
|
|
In this example, the API returns the following information, sorted based on the
|
|
influencer score in descending order:
|
|
[source,js]
|
|
----
|
|
{
|
|
"count": 189,
|
|
"influencers": [
|
|
{
|
|
"job_id": "high_sum_total_sales",
|
|
"result_type": "influencer",
|
|
"influencer_field_name": "customer_full_name.keyword",
|
|
"influencer_field_value": "Wagdi Shaw",
|
|
"customer_full_name.keyword" : "Wagdi Shaw",
|
|
"influencer_score": 99.02493,
|
|
"initial_influencer_score" : 94.67233079580171,
|
|
"probability" : 1.4784807245686567E-10,
|
|
"bucket_span" : 3600,
|
|
"is_interim" : false,
|
|
"timestamp" : 1574661600000
|
|
},
|
|
...
|
|
]
|
|
}
|
|
----
|