Anomaly detector suggestions

This is an experimental feature and is not recommended for use in a production environment. For updates on the progress of the feature or if you want to leave feedback, join the discussion on the OpenSearch forum.

The OpenSearch Dashboards Assistant can use a large language model (LLM) to suggest the creation of an anomaly detector. The LLM analyzes data patterns in your OpenSearch indexes and recommends configuration settings for the anomaly detector, making it easier to identify unusual activity or trends in your data.

Configuration

To configure anomaly detector suggestions, use the following steps.

Prerequisite

Before using anomaly detector suggestions, enable query enhancements in OpenSearch Dashboards as follows:

  1. On the top menu bar, go to Management > Dashboards Management.
  2. In the left navigation pane, select Advanced settings.
  3. On the settings page, toggle Enable query enhancements to On.

Step 1: Enable anomaly detector suggestions

To enable anomaly detector suggestions, configure the following opensearch_dashboards.yml setting:

  1. assistant.smartAnomalyDetector.enabled: true

copy

Step 2: Create an anomaly detector suggestion agent

To orchestrate anomaly detector suggestions, create an anomaly detector suggestion agent. To create an agent, send a POST /_plugins/_flow_framework/workflow?provision=true request and provide the agent template as a payload. For more information, see Configuring OpenSearch Assistant.

For sample agent templates, see Flow Framework sample templates. Note the agent ID; you’ll use it in the following step.

Step 3: Configure the agent

Next, configure the anomaly detector suggestion agent created in the previous step:

  1. POST /.plugins-ml-config/_doc/os_suggest_ad
  2. {
  3. "type": "suggest_anomaly_detector_agent",
  4. "configuration": {
  5. "agent_id": "<SUGGEST_ANOMALY_DETECTOR_AGENT_ID>"
  6. }
  7. }

copy

This example demonstrates a system index. In security-enabled domains, only superadmins have permissions to execute this code. For information about making superadmin calls, see System indexes. For access permissions, contact your system administrator.

Step 4: Test the agent

You can verify that the agent was created successfully by calling the agent with an example payload:

  1. POST /_plugins/_ml/agents/<SUGGEST_ANOMALY_DETECTOR_AGENT_ID>/_execute
  2. {
  3. "parameters": {
  4. "index":"sample_weblogs_test"
  5. }
  6. }

copy

Viewing anomaly detector suggestions in OpenSearch Dashboards

To view anomaly detector suggestions in OpenSearch Dashboards, use the following steps:

  1. On the top menu bar, go to OpenSearch Dashboards > Discover.

  2. From the index pattern dropdown list, select an index pattern.

  3. Select the AI assistant dropdown list and then select Suggest anomaly detector, as shown in the following image.

    Click the Suggest anomaly detector action

  4. Wait for the LLM to populate the Suggest anomaly detector fields that will be used to create an anomaly detector for the index pattern. Then select the Create detector button to create an anomaly detector, as shown in the following image.

    Suggested anomaly detector