application/json

BodyRequired

  • analysis_configobject
    Hide analysis_config attributes Show analysis_config attributes object
    • bucket_spanstring

      A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

    • categorization_analyzerstring | object

      One of:
      CategorizationAnalyzerstringCategorizationAnalyzerDefinitionobject
    • categorization_field_namestring

      Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    • categorization_filtersarray[string]

      If categorization_field_name is specified, you can also define optional filters. This property expects an array of regular expressions. The expressions are used to filter out matching sequences from the categorization field values. You can use this functionality to fine tune the categorization by excluding sequences from consideration when categories are defined. For example, you can exclude SQL statements that appear in your log files. This property cannot be used at the same time as categorization_analyzer. If you only want to define simple regular expression filters that are applied prior to tokenization, setting this property is the easiest method. If you also want to customize the tokenizer or post-tokenization filtering, use the categorization_analyzer property instead and include the filters as pattern_replace character filters. The effect is exactly the same.

    • detectorsarray[object] Required

      Detector configuration objects specify which data fields a job analyzes. They also specify which analytical functions are used. You can specify multiple detectors for a job. If the detectors array does not contain at least one detector, no analysis can occur and an error is returned.

      Hide detectors attributes Show detectors attributes object
      • by_field_namestring

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • custom_rulesarray[object]

        Custom rules enable you to customize the way detectors operate. For example, a rule may dictate conditions under which results should be skipped. Kibana refers to custom rules as job rules.

        Hide custom_rules attributes Show custom_rules attributes object
        • actionsarray[string]

          The set of actions to be triggered when the rule applies. If more than one action is specified the effects of all actions are combined.

          Values are skip_result or skip_model_update.

        • conditionsarray[object]

          An array of numeric conditions when the rule applies. A rule must either have a non-empty scope or at least one condition. Multiple conditions are combined together with a logical AND.

        • scopeobject

          A scope of series where the rule applies. A rule must either have a non-empty scope or at least one condition. By default, the scope includes all series. Scoping is allowed for any of the fields that are also specified in by_field_name, over_field_name, or partition_field_name.

          Hide scope attribute Show scope attribute object
          • *object Additional properties
      • detector_descriptionstring

        A description of the detector.

      • detector_indexnumber

        A unique identifier for the detector. This identifier is based on the order of the detectors in the analysis_config, starting at zero. If you specify a value for this property, it is ignored.

      • exclude_frequentstring

        Values are all, none, by, or over.

      • field_namestring

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • functionstring

        The analysis function that is used. For example, count, rare, mean, min, max, or sum.

      • over_field_namestring

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • partition_field_namestring

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • use_nullboolean

        Defines whether a new series is used as the null series when there is no value for the by or partition fields.

    • influencersarray[string]

      A comma separated list of influencer field names. Typically these can be the by, over, or partition fields that are used in the detector configuration. You might also want to use a field name that is not specifically named in a detector, but is available as part of the input data. When you use multiple detectors, the use of influencers is recommended as it aggregates results for each influencer entity.

    • latencystring

      A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

    • model_prune_windowstring

      A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

    • multivariate_by_fieldsboolean

      This functionality is reserved for internal use. It is not supported for use in customer environments and is not subject to the support SLA of official GA features. If set to true, the analysis will automatically find correlations between metrics for a given by field value and report anomalies when those correlations cease to hold. For example, suppose CPU and memory usage on host A is usually highly correlated with the same metrics on host B. Perhaps this correlation occurs because they are running a load-balanced application. If you enable this property, anomalies will be reported when, for example, CPU usage on host A is high and the value of CPU usage on host B is low. That is to say, you’ll see an anomaly when the CPU of host A is unusual given the CPU of host B. To use the multivariate_by_fields property, you must also specify by_field_name in your detector.

    • per_partition_categorizationobject
      Hide per_partition_categorization attributes Show per_partition_categorization attributes object
      • enabledboolean

        To enable this setting, you must also set the partition_field_name property to the same value in every detector that uses the keyword mlcategory. Otherwise, job creation fails.

      • stop_on_warnboolean

        This setting can be set to true only if per-partition categorization is enabled. If true, both categorization and subsequent anomaly detection stops for partitions where the categorization status changes to warn. This setting makes it viable to have a job where it is expected that categorization works well for some partitions but not others; you do not pay the cost of bad categorization forever in the partitions where it works badly.

    • summary_count_field_namestring

      Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • max_bucket_cardinalityobject

    Estimates of the highest cardinality in a single bucket that is observed for influencer fields over the time period that the job analyzes data. To produce a good answer, values must be provided for all influencer fields. Providing values for fields that are not listed as influencers has no effect on the estimation.

    Hide max_bucket_cardinality attribute Show max_bucket_cardinality attribute object
    • *number Additional properties
  • overall_cardinalityobject

    Estimates of the cardinality that is observed for fields over the whole time period that the job analyzes data. To produce a good answer, values must be provided for fields referenced in the by_field_name, over_field_name and partition_field_name of any detectors. Providing values for other fields has no effect on the estimation. It can be omitted from the request if no detectors have a by_field_name, over_field_name or partition_field_name.

    Hide overall_cardinality attribute Show overall_cardinality attribute object
    • *number Additional properties

Responses

POST /_ml/anomaly_detectors/_estimate_model_memory
POST _ml/anomaly_detectors/_estimate_model_memory
{
  "analysis_config": {
    "bucket_span": "5m",
    "detectors": [
      {
        "function": "sum",
        "field_name": "bytes",
        "by_field_name": "status",
        "partition_field_name": "app"
      }
    ],
    "influencers": [
      "source_ip",
      "dest_ip"
    ]
  },
  "overall_cardinality": {
    "status": 10,
    "app": 50
  },
  "max_bucket_cardinality": {
    "source_ip": 300,
    "dest_ip": 30
  }
}
resp = client.ml.estimate_model_memory(
    analysis_config={
        "bucket_span": "5m",
        "detectors": [
            {
                "function": "sum",
                "field_name": "bytes",
                "by_field_name": "status",
                "partition_field_name": "app"
            }
        ],
        "influencers": [
            "source_ip",
            "dest_ip"
        ]
    },
    overall_cardinality={
        "status": 10,
        "app": 50
    },
    max_bucket_cardinality={
        "source_ip": 300,
        "dest_ip": 30
    },
)
const response = await client.ml.estimateModelMemory({
  analysis_config: {
    bucket_span: "5m",
    detectors: [
      {
        function: "sum",
        field_name: "bytes",
        by_field_name: "status",
        partition_field_name: "app",
      },
    ],
    influencers: ["source_ip", "dest_ip"],
  },
  overall_cardinality: {
    status: 10,
    app: 50,
  },
  max_bucket_cardinality: {
    source_ip: 300,
    dest_ip: 30,
  },
});
response = client.ml.estimate_model_memory(
  body: {
    "analysis_config": {
      "bucket_span": "5m",
      "detectors": [
        {
          "function": "sum",
          "field_name": "bytes",
          "by_field_name": "status",
          "partition_field_name": "app"
        }
      ],
      "influencers": [
        "source_ip",
        "dest_ip"
      ]
    },
    "overall_cardinality": {
      "status": 10,
      "app": 50
    },
    "max_bucket_cardinality": {
      "source_ip": 300,
      "dest_ip": 30
    }
  }
)
$resp = $client->ml()->estimateModelMemory([
    "body" => [
        "analysis_config" => [
            "bucket_span" => "5m",
            "detectors" => array(
                [
                    "function" => "sum",
                    "field_name" => "bytes",
                    "by_field_name" => "status",
                    "partition_field_name" => "app",
                ],
            ),
            "influencers" => array(
                "source_ip",
                "dest_ip",
            ),
        ],
        "overall_cardinality" => [
            "status" => 10,
            "app" => 50,
        ],
        "max_bucket_cardinality" => [
            "source_ip" => 300,
            "dest_ip" => 30,
        ],
    ],
]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"analysis_config":{"bucket_span":"5m","detectors":[{"function":"sum","field_name":"bytes","by_field_name":"status","partition_field_name":"app"}],"influencers":["source_ip","dest_ip"]},"overall_cardinality":{"status":10,"app":50},"max_bucket_cardinality":{"source_ip":300,"dest_ip":30}}' "$ELASTICSEARCH_URL/_ml/anomaly_detectors/_estimate_model_memory"
Request example
Run `POST _ml/anomaly_detectors/_estimate_model_memory` to estimate the model memory limit based on the analysis configuration details provided in the request body.
{
  "analysis_config": {
    "bucket_span": "5m",
    "detectors": [
      {
        "function": "sum",
        "field_name": "bytes",
        "by_field_name": "status",
        "partition_field_name": "app"
      }
    ],
    "influencers": [
      "source_ip",
      "dest_ip"
    ]
  },
  "overall_cardinality": {
    "status": 10,
    "app": 50
  },
  "max_bucket_cardinality": {
    "source_ip": 300,
    "dest_ip": 30
  }
}
Response examples (200)
A successful response from `POST _ml/anomaly_detectors/_estimate_model_memory`.
{
  "model_memory_estimate": "21mb"
}