原文地址: https://www.elastic.co/guide/en/elasticsearch/reference/7.7/ml-get-bucket.html, 原文档版权归 www.elastic.co 所有
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Get buckets APIedit
Retrieves anomaly detection job results for one or more buckets.
Requestedit
GET _ml/anomaly_detectors/<job_id>/results/buckets
GET _ml/anomaly_detectors/<job_id>/results/buckets/<timestamp>
Prerequisitesedit
-
If the Elasticsearch security features are enabled, you must have
monitor_ml
,monitor
,manage_ml
, ormanage
cluster privileges to use this API. You also needread
index privilege on the index that stores the results. Themachine_learning_admin
andmachine_learning_user
roles provide these privileges. For more information, see Security privileges and Built-in roles.
Descriptionedit
The get buckets API presents a chronological view of the records, grouped by bucket.
Path parametersedit
-
<job_id>
- (Required, string) Identifier for the anomaly detection job.
-
<timestamp>
- (Optional, string) The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.
Request bodyedit
-
anomaly_score
- (Optional, double) Returns buckets with anomaly scores greater or equal than this value.
-
desc
- (Optional, boolean) If true, the results are sorted in descending order.
-
end
- (Optional, string) Returns buckets with timestamps earlier than this time.
-
exclude_interim
-
(Optional, boolean)
If
true
, the output excludes interim results. By default, interim results are included. -
expand
- (Optional, boolean) If true, the output includes anomaly records.
-
page
.from
- (Optional, integer) Skips the specified number of buckets.
-
page
.size
- (Optional, integer) Specifies the maximum number of buckets to obtain.
-
sort
-
(Optional, string) Specifies the sort field for the requested buckets. By
default, the buckets are sorted by the
timestamp
field. -
start
- (Optional, string) Returns buckets with timestamps after this time.
Response bodyedit
The API returns an array of bucket objects, which have the following properties:
-
anomaly_score
- (number) The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.
-
bucket_influencers
-
(array) An array of bucket influencer objects.
Properties of
bucket_influencers
-
anomaly_score
- (number) A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.
-
bucket_span
-
(number)
The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
initial_anomaly_score
- (number) The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.
-
influencer_field_name
- (string) The field name of the influencer.
-
influencer_field_value
- (string) The field value of the influencer.
-
is_interim
-
(boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
probability
-
(number) The probability that the bucket has this behavior, in the range 0 to 1.
This value can be held to a high precision of over 300 decimal places, so the
anomaly_score
is provided as a human-readable and friendly interpretation of this. -
raw_anomaly_score
- (number) Internal.
-
result_type
-
(string) Internal. This value is always set to
bucket_influencer
. -
timestamp
- (date) The start time of the bucket for which these results were calculated.
-
-
bucket_span
-
(number)
The length of the bucket in seconds. This value matches the
bucket_span
that is specified in the job. -
event_count
- (number) The number of input data records processed in this bucket.
-
initial_anomaly_score
-
(number) The maximum
anomaly_score
for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed. -
is_interim
-
(boolean)
If
true
, this is an interim result. In other words, the results are calculated based on partial input data. -
job_id
- (string) Identifier for the anomaly detection job.
-
processing_time_ms
- (number) The amount of time, in milliseconds, that it took to analyze the bucket contents and calculate results.
-
result_type
-
(string) Internal. This value is always set to
bucket
. -
timestamp
-
(date) The start time of the bucket. This timestamp uniquely identifies the bucket.
Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.
Examplesedit
GET _ml/anomaly_detectors/low_request_rate/results/buckets { "anomaly_score": 80, "start": "1454530200001" }
In this example, the API returns a single result that matches the specified score and time constraints:
{ "count" : 1, "buckets" : [ { "job_id" : "low_request_rate", "timestamp" : 1578398400000, "anomaly_score" : 91.58505459594764, "bucket_span" : 3600, "initial_anomaly_score" : 91.58505459594764, "event_count" : 0, "is_interim" : false, "bucket_influencers" : [ { "job_id" : "low_request_rate", "result_type" : "bucket_influencer", "influencer_field_name" : "bucket_time", "initial_anomaly_score" : 91.58505459594764, "anomaly_score" : 91.58505459594764, "raw_anomaly_score" : 0.5758246639716365, "probability" : 1.7340849573442696E-4, "timestamp" : 1578398400000, "bucket_span" : 3600, "is_interim" : false } ], "processing_time_ms" : 0, "result_type" : "bucket" } ] }