OpenSearch/docs/reference/ml/anomaly-detection/apis/get-influencer.asciidoc

162 lines
4.8 KiB
Plaintext

[role="xpack"]
[testenv="platinum"]
[[ml-get-influencer]]
= Get influencers API
++++
<titleabbrev>Get influencers</titleabbrev>
++++
Retrieves {anomaly-job} results for one or more influencers.
[[ml-get-influencer-request]]
== {api-request-title}
`GET _ml/anomaly_detectors/<job_id>/results/influencers`
[[ml-get-influencer-prereqs]]
== {api-prereq-title}
* If the {es} {security-features} are enabled, you must have `monitor_ml`,
`monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also
need `read` index privilege on the index that stores the results. The
`machine_learning_admin` and `machine_learning_user` roles provide these
privileges. See <<security-privileges>> and
<<built-in-roles>>.
[[ml-get-influencer-desc]]
== {api-description-title}
Influencers are the entities that have contributed to, or are to blame for,
the anomalies. Influencer results are available only if an
`influencer_field_name` is specified in the job configuration.
[[ml-get-influencer-path-parms]]
== {api-path-parms-title}
`<job_id>`::
(Required, string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
[[ml-get-influencer-request-body]]
== {api-request-body-title}
`desc`::
(Optional, boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=desc-results]
`end`::
(Optional, string) Returns influencers with timestamps earlier than this time.
`exclude_interim`::
(Optional, boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=exclude-interim-results]
`influencer_score`::
(Optional, double) Returns influencers with anomaly scores greater than or equal
to this value.
`page`.`from`::
(Optional, integer) Skips the specified number of influencers.
`page`.`size`::
(Optional, integer) Specifies the maximum number of influencers to obtain.
`sort`::
(Optional, string) Specifies the sort field for the requested influencers. By
default, the influencers are sorted by the `influencer_score` value.
`start`::
(Optional, string) Returns influencers with timestamps after this time.
[[ml-get-influencer-results]]
== {api-response-body-title}
The API returns an array of influencer objects, which have the following
properties:
`bucket_span`::
(number)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=bucket-span-results]
`influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer in this bucket aggregated across detectors. Unlike
`initial_influencer_score`, this value will be updated by a re-normalization
process as new data is analyzed.
`influencer_field_name`::
(string) The field name of the influencer.
`influencer_field_value`::
(string) The entity that influenced, contributed to, or was to blame for the
anomaly.
`initial_influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer aggregated across detectors. This is the initial value that was
calculated at the time the bucket was processed.
`is_interim`::
(boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim]
`job_id`::
(string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
`probability`::
(number) The probability that the influencer has this behavior, in the range 0
to 1. This value can be held to a high precision of over 300 decimal places, so
the `influencer_score` is provided as a human-readable and friendly
interpretation of this.
`result_type`::
(string) Internal. This value is always set to `influencer`.
`timestamp`::
(date)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results]
NOTE: Additional influencer properties are added, depending on the fields being
analyzed. For example, if it's analyzing `user_name` as an influencer, then a
field `user_name` is added to the result document. This information enables you to
filter the anomaly results more easily.
[[ml-get-influencer-example]]
== {api-examples-title}
[source,console]
--------------------------------------------------
GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers
{
"sort": "influencer_score",
"desc": true
}
--------------------------------------------------
// TEST[skip:Kibana sample data]
In this example, the API returns the following information, sorted based on the
influencer score in descending order:
[source,js]
----
{
"count": 189,
"influencers": [
{
"job_id": "high_sum_total_sales",
"result_type": "influencer",
"influencer_field_name": "customer_full_name.keyword",
"influencer_field_value": "Wagdi Shaw",
"customer_full_name.keyword" : "Wagdi Shaw",
"influencer_score": 99.02493,
"initial_influencer_score" : 94.67233079580171,
"probability" : 1.4784807245686567E-10,
"bucket_span" : 3600,
"is_interim" : false,
"timestamp" : 1574661600000
},
...
]
}
----