|
|
@@ -2,29 +2,24 @@
|
|
|
navigation_title: "Change point"
|
|
|
mapped_pages:
|
|
|
- https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-change-point-aggregation.html
|
|
|
+applies_to:
|
|
|
+ stack: preview 9.0, ga 9.2
|
|
|
+ serverless: ga
|
|
|
---
|
|
|
|
|
|
# Change point aggregation [search-aggregations-change-point-aggregation]
|
|
|
|
|
|
-
|
|
|
-::::{warning}
|
|
|
-This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
|
|
|
-::::
|
|
|
-
|
|
|
-
|
|
|
A sibling pipeline that detects, spikes, dips, and change points in a metric. Given a distribution of values provided by the sibling multi-bucket aggregation, this aggregation indicates the bucket of any spike or dip and/or the bucket at which the largest change in the distribution of values, if they are statistically significant.
|
|
|
|
|
|
::::{tip}
|
|
|
It is recommended to use the change point aggregation to detect changes in time-based data, however, you can use any metric to create buckets.
|
|
|
::::
|
|
|
|
|
|
-
|
|
|
## Parameters [change-point-agg-syntax]
|
|
|
|
|
|
`buckets_path`
|
|
|
: (Required, string) Path to the buckets that contain one set of values in which to detect a change point. There must be at least 22 bucketed values. Fewer than 1,000 is preferred. For syntax, see [`buckets_path` Syntax](/reference/aggregations/pipeline.md#buckets-path-syntax).
|
|
|
|
|
|
-
|
|
|
## Syntax [_syntax_11]
|
|
|
|
|
|
A `change_point` aggregation looks like this in isolation:
|
|
|
@@ -39,8 +34,6 @@ A `change_point` aggregation looks like this in isolation:
|
|
|
|
|
|
1. The buckets containing the values to test against.
|
|
|
|
|
|
-
|
|
|
-
|
|
|
## Response body [change-point-agg-response]
|
|
|
|
|
|
`bucket`
|
|
|
@@ -54,7 +47,6 @@ A `change_point` aggregation looks like this in isolation:
|
|
|
`doc_count`
|
|
|
: (number) The document count of the bucket.
|
|
|
|
|
|
-
|
|
|
`type`
|
|
|
: (object) The found change point type and its related values. Possible types:
|
|
|
|
|
|
@@ -67,7 +59,6 @@ A `change_point` aggregation looks like this in isolation:
|
|
|
* `trend_change`: there is an overall trend change occurring at this point
|
|
|
|
|
|
|
|
|
-
|
|
|
## Example [_example_7]
|
|
|
|
|
|
The following example uses the Kibana sample data logs data set.
|
|
|
@@ -103,7 +94,6 @@ GET kibana_sample_data_logs/_search
|
|
|
3. The change point detection aggregation configuration object.
|
|
|
4. The path of the aggregation values to detect change points. In this case, the input of the change point aggregation is the value of `avg` which is a sibling aggregation of `date`.
|
|
|
|
|
|
-
|
|
|
The request returns a response that is similar to the following:
|
|
|
|
|
|
```js
|
|
|
@@ -130,6 +120,3 @@ The request returns a response that is similar to the following:
|
|
|
4. Type of change found.
|
|
|
5. The `p_value` indicates how extreme the change is; lower values indicate greater change.
|
|
|
6. The specific bucket where the change occurs (indexing starts at `0`).
|
|
|
-
|
|
|
-
|
|
|
-
|
István Zoltán Szabó