You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md
+17-19Lines changed: 17 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,30 +45,28 @@ To set up an {{anomaly-detect}} alert rule:
45
45
1. Open **{{rules-ui}}**: find **{{stack-manage-app}} > {{rules-ui}}** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
46
46
2. Select the **{{anomaly-detect-cap}}** rule type.
3. Select the [{{anomaly-job}}](/explore-analyze/machine-learning/anomaly-detection/ml-ad-run-jobs.md) that the rule applies to.
54
49
4. Select a type of {{ml}} result. You can create rules based on bucket, record, or influencer results.
55
50
5. (Optional) Configure the `anomaly_score` that triggers the action.
56
51
The `anomaly_score` indicates the significance of a given anomaly compared to
57
52
previous anomalies. The default severity threshold is 75 which means every
58
53
anomaly with an `anomaly_score` of 75 or higher triggers the associated action.
59
-
6. Select whether you want to include interim results. Interim results are created before a bucket is finalized and might disappear after full processing.
60
-
- Include interim results if you
61
-
want to be notified earlier about a potential anomaly even if it might be a
62
-
false positive.
63
-
- Don't include interim results if you want to get notified only about anomalies of fully
:alt: Selecting result type, severity, and interim results
68
-
:screenshot:
69
-
:::
54
+
6. {applies_to}`stack: ga 9.3`{applies_to}`serverless: ga` (Optional) To narrow down the list of anomalies that the rule looks for, add an **Anomaly filter**. This feature uses KQL and is only available for the Record and Influencer result types.
55
+
56
+
In the **Anomaly filter** field, enter a KQL query that specifies fields or conditions to alert on. You can set up the following conditions:
57
+
58
+
* One or more partitioning or influencers fields in the anomaly results match the specified conditions
59
+
* The actual or typical scores in the anomalies match the specified conditions
60
+
61
+
For example, say you've set up alerting for an anomaly detection job that has `partition_field = "response.keyword"` as the detector. If you were only interested in being alerted on `response.keyword = 404`, enter `partition_field_value: "404"` into the **Anomaly filter** field. When the rule runs, it will only alert on anomalies with `partition_field_value: "404"`.
62
+
63
+
::::{note}
64
+
When you edit the KQL query, suggested filter-by fields appear. To compare actual and typical values for any fields, use operators such as `>` (greater than), `<` (less than), or `=` (equal to).
65
+
::::
66
+
67
+
7. (Optional) Turn on **Include interim results** to include results that are created by the anomaly detection job *before* a bucket is finalized. These results might disappear after the bucket is fully processed. Include interim results to get notified earlier about potential anomalies, even if they might be false positives. Don't include interim results if you want to get notified only about anomalies of fully processed buckets.
70
68
71
-
7. (Optional) Configure **Advanced settings**:
69
+
8. (Optional) Configure **Advanced settings**:
72
70
- Configure the _Lookback interval_ to define how far back to query previous anomalies during each condition check. Its value is derived from the bucket span of the job and the query delay of the {{dfeed}} by default. It is not recommended to set the lookback interval lower than the default value, as it might result in missed anomalies.
73
71
- Configure the _Number of latest buckets_ to specify how many buckets to check to obtain the highest anomaly score found during the _Lookback interval_. The alert is created based on the highest scoring anomaly from the most anomalous bucket.
74
72
@@ -86,8 +84,8 @@ You can preview how the rule would perform on existing data:
86
84
:screenshot:
87
85
:::
88
86
89
-
8. Set how often to check the rule conditions by selecting a time value and unit under **Rule schedule**.
90
-
9. (Optional) Configure **Advanced options**:
87
+
9. Set how often to check the rule conditions by selecting a time value and unit under **Rule schedule**.
88
+
10. (Optional) Configure **Advanced options**:
91
89
- Define the number of consecutive matches required before an alert is triggered under **Alert delay**.
92
90
- Enable or disable **Flapping Detection** to reduce noise from frequently changing alerts. You can customize the flapping detection settings if you need different thresholds for detecting flapping behavior.
Copy file name to clipboardExpand all lines: solutions/observability/incident-management/create-an-anomaly-detection-rule.md
+22-14Lines changed: 22 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,14 +34,8 @@ To create an anomaly detection rule:
34
34
2. In the list of anomaly detection jobs, find the job you want to check for anomalies. Haven’t created a job yet? [Create one now](/explore-analyze/machine-learning/anomaly-detection.md).
35
35
3. From the **Actions** menu next to the job, select **Create alert rule**.
36
36
4. Specify a name and optional tags for the rule. You can use these tags later to filter alerts.
37
-
5. Verify that the correct job is selected and configure the alert details:
5. Verify that the correct job is selected or select a new one.
38
+
6. Select a type of machine learning result:
45
39
46
40
| Choose… | To generate an alert based on… |
47
41
| --- | --- |
@@ -50,18 +44,32 @@ To create an anomaly detection rule:
50
44
|**Influencer**| The most unusual entities in a time range |
51
45
52
46
7. Adjust the **Severity** to match the anomaly score that will trigger the action. The anomaly score indicates the significance of a given anomaly compared to previous anomalies. The default severity threshold is 75, which means every anomaly with an anomaly score of 75 or higher will trigger the associated action.
53
-
8. (Optional) Turn on **Include interim results** to include results that are created by the anomaly detection job *before* a bucket is finalized. These results might disappear after the bucket is fully processed. Include interim results if you want to be notified earlier about a potential anomaly even if it might be a false positive.
54
-
9. (Optional) Expand and change **Advanced settings**:
47
+
8. {applies_to}`stack: ga 9.3`{applies_to}`serverless: ga` (Optional) To narrow down the list of anomalies that the rule looks for, add an **Anomaly filter**. This feature uses KQL and is only available for the Record and Influencer result types.
48
+
49
+
In the **Anomaly filter** field, enter a KQL query that specifies fields or conditions to alert on. You can set up the following conditions:
50
+
51
+
* One or more partitioning or influencers fields in the anomaly results match the specified conditions
52
+
* The actual or typical scores in the anomalies match specified conditions
53
+
54
+
For example, say you've set up alerting for an anomaly detection job that has `partition_field = "response.keyword"` as the detector. If you were only interested in being alerted on `response.keyword = 404`, enter `partition_field_value: "404"` into the **Anomaly filter** field. When the rule runs, it will only alert on anomalies with `partition_field_value: "404"`.
55
+
56
+
::::{note}
57
+
When you edit the KQL query, suggested filter-by fields appear. To compare actual and typical values for any fields, use operators such as `>` (greater than), `<` (less than), or `=` (equal to).
58
+
::::
59
+
60
+
9. (Optional) Turn on **Include interim results** to include results that are created by the anomaly detection job *before* a bucket is finalized. These results might disappear after the bucket is fully processed. Include interim results to get notified earlier about potential anomalies, even if they might be false positives. Don't include interim results if you want to get notified only about anomalies of fully processed buckets.
61
+
62
+
10. (Optional) Expand and change **Advanced settings**:
55
63
56
64
| Setting | Description |
57
65
| --- | --- |
58
66
|**Lookback interval**| The interval used to query previous anomalies during each condition check. Setting the lookback interval lower than the default value might result in missed anomalies. |
59
67
|**Number of latest buckets**| The number of buckets to check to obtain the highest anomaly from all the anomalies that are found during the Lookback interval. An alert is created based on the anomaly with the highest anomaly score from the most anomalous bucket. |
60
68
61
-
10. (Optional) Under **Check the rule condition with an interval**, specify an interval, then click **Test** to check the rule condition with the interval specified. The button is grayed out if the datafeed is not started. To test the rule, start the data feed.
62
-
11. (Optional) If you want to change how often the condition is evaluated, adjust the **Check every** setting.
63
-
12. (Optional) Set up **Actions**.
64
-
13.**Save** your rule.
69
+
11. (Optional) Under **Check the rule condition with an interval**, specify an interval, then click **Test** to check the rule condition with the interval specified. The button is grayed out if the datafeed is not started. To test the rule, start the data feed.
70
+
12. (Optional) If you want to change how often the condition is evaluated, adjust the **Check every** setting.
71
+
13. (Optional) Set up **Actions**.
72
+
14.**Save** your rule.
65
73
66
74
::::{note}
67
75
Anomaly detection rules are defined as part of a job. Alerts generated by these rules do not appear on the **Alerts** page.
0 commit comments