Get buckets API

Get buckets API

Retrieves anomaly detection job results for one or more buckets.

Request

GET _ml/anomaly_detectors/<job_id>/results/buckets

GET _ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>

Prerequisites

Requires the monitor_ml cluster privilege. This privilege is included in the machine_learning_user built-in role.

Description

The get buckets API presents a chronological view of the records, grouped by bucket.

Path parameters

<job_id>

(Required, string) Identifier for the anomaly detection job.

<timestamp>

(Optional, string) The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.

Query parameters

anomaly_score

(Optional, double) Returns buckets with anomaly scores greater or equal than this value. Defaults to 0.0.

desc

(Optional, Boolean) If true, the buckets are sorted in descending order. Defaults to false.

end

(Optional, string) Returns buckets with timestamps earlier than this time. Defaults to -1, which means it is unset and results are not limited to specific timestamps.

exclude_interim

(Optional, Boolean) If true, the output excludes interim results. Defaults to false, which means interim results are included.

expand

(Optional, Boolean) If true, the output includes anomaly records. Defaults to false.

from

(Optional, integer) Skips the specified number of buckets. Defaults to 0.

size

(Optional, integer) Specifies the maximum number of buckets to obtain. Defaults to 100.

sort

(Optional, string) Specifies the sort field for the requested buckets. By default, the buckets are sorted by the timestamp field.

start

(Optional, string) Returns buckets with timestamps after this time. Defaults to -1, which means it is unset and results are not limited to specific timestamps.

Request body

You can also specify the query parameters in the request body; the exception are from and size, use page instead:

page

Properties of page

  • from

    (Optional, integer) Skips the specified number of buckets. Defaults to 0.

    size

    (Optional, integer) Specifies the maximum number of buckets to obtain. Defaults to 100.

Response body

The API returns an array of bucket objects, which have the following properties:

anomaly_score

(number) The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.

bucket_influencers

(array) An array of bucket influencer objects.

Properties of bucket_influencers

  • anomaly_score

    (number) A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.

    bucket_span

    (number) The length of the bucket in seconds. This value matches the bucket_span that is specified in the job.

    influencer_field_name

    (string) The field name of the influencer.

  • initial_anomaly_score

    (number) The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.

    is_interim

    (Boolean) If true, this is an interim result. In other words, the results are calculated based on partial input data.

    job_id

    (string) Identifier for the anomaly detection job.

    probability

    (number) The probability that the bucket has this behavior, in the range 0 to 1. This value can be held to a high precision of over 300 decimal places, so the anomaly_score is provided as a human-readable and friendly interpretation of this.

    raw_anomaly_score

    (number) Internal.

    result_type

    (string) Internal. This value is always set to bucket_influencer.

    timestamp

    (date) The start time of the bucket for which these results were calculated.

bucket_span

(number) The length of the bucket in seconds. This value matches the bucket_span that is specified in the job.

event_count

(number) The number of input data records processed in this bucket.

initial_anomaly_score

(number) The maximum anomaly_score for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed.

is_interim

(Boolean) If true, this is an interim result. In other words, the results are calculated based on partial input data.

job_id

(string) Identifier for the anomaly detection job.

processing_time_ms

(number) The amount of time, in milliseconds, that it took to analyze the bucket contents and calculate results.

result_type

(string) Internal. This value is always set to bucket.

timestamp

(date) The start time of the bucket. This timestamp uniquely identifies the bucket.

Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.

Examples

  1. GET _ml/anomaly_detectors/low_request_rate/results/buckets
  2. {
  3. "anomaly_score": 80,
  4. "start": "1454530200001"
  5. }

In this example, the API returns a single result that matches the specified score and time constraints:

  1. {
  2. "count" : 1,
  3. "buckets" : [
  4. {
  5. "job_id" : "low_request_rate",
  6. "timestamp" : 1578398400000,
  7. "anomaly_score" : 91.58505459594764,
  8. "bucket_span" : 3600,
  9. "initial_anomaly_score" : 91.58505459594764,
  10. "event_count" : 0,
  11. "is_interim" : false,
  12. "bucket_influencers" : [
  13. {
  14. "job_id" : "low_request_rate",
  15. "result_type" : "bucket_influencer",
  16. "influencer_field_name" : "bucket_time",
  17. "initial_anomaly_score" : 91.58505459594764,
  18. "anomaly_score" : 91.58505459594764,
  19. "raw_anomaly_score" : 0.5758246639716365,
  20. "probability" : 1.7340849573442696E-4,
  21. "timestamp" : 1578398400000,
  22. "bucket_span" : 3600,
  23. "is_interim" : false
  24. }
  25. ],
  26. "processing_time_ms" : 0,
  27. "result_type" : "bucket"
  28. }
  29. ]
  30. }