Get buckets APIedit
Retrieves anomaly detection job results for one or more buckets.
Requestedit
GET _ml/anomaly_detectors/<job_id>/results/buckets
GET _ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>
Prerequisitesedit
Requires the monitor_ml
cluster privilege. This privilege is included in the
machine_learning_user
built-in role.
Descriptionedit
The get buckets API presents a chronological view of the records, grouped by bucket.
Path parametersedit
-
<job_id>
- (Required, string) Identifier for the anomaly detection job.
-
<timestamp>
- (Optional, string) The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.
Query parametersedit
-
anomaly_score
-
(Optional, double) Returns buckets with anomaly scores greater or equal than
this value. Defaults to
0.0
. -
desc
-
(Optional, Boolean) If true, the buckets are sorted in descending order.
Defaults to
false
. -
end
-
(Optional, string) Returns buckets with timestamps earlier than this time.
Defaults to
-1
, which means it is unset and results are not limited to specific timestamps. -
exclude_interim
-
(Optional, Boolean)
If
true
, the output excludes interim results. Defaults tofalse
, which means interim results are included. -
expand
-
(Optional, Boolean) If true, the output includes anomaly records. Defaults to
false
. -
from
-
(Optional, integer) Skips the specified number of buckets. Defaults to
0
. -
size
-
(Optional, integer) Specifies the maximum number of buckets to obtain. Defaults
to
100
. -
sort
-
(Optional, string) Specifies the sort field for the requested buckets. By
default, the buckets are sorted by the
timestamp
field. -
start
-
(Optional, string) Returns buckets with timestamps after this time. Defaults to
-1
, which means it is unset and results are not limited to specific timestamps.
Request bodyedit
You can also specify the query parameters in the request body; the exception are
from
and size
, use page
instead:
-
page
-
Properties of
page
-
from
-
(Optional, integer) Skips the specified number of buckets. Defaults to
0
. -
size
-
(Optional, integer) Specifies the maximum number of buckets to obtain. Defaults
to
100
.
-
Response bodyedit
The API returns an array of bucket objects, which have the following properties:
-
anomaly_score
- (number) The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.
-
bucket_influencers
-
(array) An array of bucket influencer objects.
Properties of
bucket_influencers
-
anomaly_score
- (number) A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.
-
bucket_span
-
(number) The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
influencer_field_name
- (string) The field name of the influencer.
-
initial_anomaly_score
- (number) The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.
-
is_interim
-
(Boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
probability
-
(number) The probability that the bucket has this behavior, in the range 0 to 1.
This value can be held to a high precision of over 300 decimal places, so the
anomaly_score
is provided as a human-readable and friendly interpretation of this. -
raw_anomaly_score
- (number) Internal.
-
result_type
-
(string) Internal. This value is always set to
bucket_influencer
. -
timestamp
- (date) The start time of the bucket for which these results were calculated.
-
-
bucket_span
-
(number)
The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
event_count
- (number) The number of input data records processed in this bucket.
-
initial_anomaly_score
-
(number) The maximum
anomaly_score
for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed. -
is_interim
-
(Boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
processing_time_ms
- (number) The amount of time, in milliseconds, that it took to analyze the bucket contents and calculate results.
-
result_type
-
(string) Internal. This value is always set to
bucket
. -
timestamp
-
(date) The start time of the bucket. This timestamp uniquely identifies the bucket.
Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.
Examplesedit
GET _ml/anomaly_detectors/low_request_rate/results/buckets { "anomaly_score": 80, "start": "1454530200001" }
In this example, the API returns a single result that matches the specified score and time constraints:
{ "count" : 1, "buckets" : [ { "job_id" : "low_request_rate", "timestamp" : 1578398400000, "anomaly_score" : 91.58505459594764, "bucket_span" : 3600, "initial_anomaly_score" : 91.58505459594764, "event_count" : 0, "is_interim" : false, "bucket_influencers" : [ { "job_id" : "low_request_rate", "result_type" : "bucket_influencer", "influencer_field_name" : "bucket_time", "initial_anomaly_score" : 91.58505459594764, "anomaly_score" : 91.58505459594764, "raw_anomaly_score" : 0.5758246639716365, "probability" : 1.7340849573442696E-4, "timestamp" : 1578398400000, "bucket_span" : 3600, "is_interim" : false } ], "processing_time_ms" : 0, "result_type" : "bucket" } ] }