|
|
@@ -30,38 +30,38 @@ ideal for this purpose.
|
|
|
[[creating-ml-rules]]
|
|
|
== Creating a rule
|
|
|
|
|
|
-You can create {ml} rules in the {anomaly-job} wizard after you start the job,
|
|
|
-from the job list, or under **{stack-manage-app} > {alerts-ui}**.
|
|
|
-
|
|
|
-On the *Create rule* window, give a name to the rule and optionally provide
|
|
|
-tags. Specify the time interval for the rule to check detected anomalies or job
|
|
|
-health changes. It is recommended to select an interval that is close to the
|
|
|
-bucket span of the job. You can also select a notification option with the
|
|
|
-_Notify_ selector. An alert remains active as long as the configured conditions
|
|
|
-are met during the check interval. When there is no matching condition in the
|
|
|
-next interval, the `Recovered` action group is invoked and the status of the
|
|
|
-alert changes to `OK`. For more details, refer to the documentation of
|
|
|
-{kibana-ref}/create-and-manage-rules.html#defining-rules-general-details[general rule details].
|
|
|
-
|
|
|
-Select the rule type you want to create under the {ml} section and continue to
|
|
|
-configure it depending on whether it is an
|
|
|
-<<creating-anomaly-alert-rules, {anomaly-detect} alert>> or an
|
|
|
-<<creating-anomaly-jobs-health-rules, {anomaly-job} health>> rule.
|
|
|
+In *{stack-manage-app} > {rules-ui}*, you can create both types of {ml} rules:
|
|
|
|
|
|
[role="screenshot"]
|
|
|
-image::images/ml-rule.jpg["Creating a new machine learning rule"]
|
|
|
+image::images/ml-rule.png["Creating a new machine learning rule",500]
|
|
|
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
|
|
|
|
|
|
+When you create a {ml} rule, you must provide a time interval for the rule to
|
|
|
+check detected anomalies or job health changes. It is recommended to select an
|
|
|
+interval that is close to the bucket span of the job.
|
|
|
+
|
|
|
+You must also select a notification option, which affects how often alerts
|
|
|
+generate actions. Options include running actions at each check interval, only
|
|
|
+when the alert status changes, or at a custom action interval. For more
|
|
|
+information about these options, refer to the
|
|
|
+{kibana-ref}/create-and-manage-rules.html#defining-rules-general-details[General rule details].
|
|
|
+
|
|
|
+In the *{ml-app}* app, you can create only {anomaly-detect} alert rules; create
|
|
|
+them from the {anomaly-job} wizard after you start the job or from the
|
|
|
+{anomaly-job} list.
|
|
|
|
|
|
[[creating-anomaly-alert-rules]]
|
|
|
=== {anomaly-detect-cap} alert
|
|
|
|
|
|
-Select the job that the rule applies to.
|
|
|
+When you create an {anomaly-detect} alert rule, you must select the job that
|
|
|
+the rule applies to.
|
|
|
|
|
|
-You must select a type of {ml} result. In particular, you can create rules based
|
|
|
-on bucket, record, or influencer results.
|
|
|
+You must also select a type of {ml} result. In particular, you can create rules
|
|
|
+based on bucket, record, or influencer results.
|
|
|
|
|
|
[role="screenshot"]
|
|
|
-image::images/ml-anomaly-alert-severity.jpg["Selecting result type, severity, and test interval", 500]
|
|
|
+image::images/ml-anomaly-alert-severity.png["Selecting result type, severity, and test interval", 500]
|
|
|
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
|
|
|
|
|
|
For each rule, you can configure the `anomaly_score` that triggers the action.
|
|
|
The `anomaly_score` indicates the significance of a given anomaly compared to
|
|
|
@@ -98,8 +98,9 @@ are met.
|
|
|
[[creating-anomaly-jobs-health-rules]]
|
|
|
=== {anomaly-jobs-cap} health
|
|
|
|
|
|
-Select the job or group that the rule applies to. If you assign more jobs to the
|
|
|
-group, they are included the next time the rule conditions are checked.
|
|
|
+When you create an {anomaly-jobs} health rule, you must select the job or group
|
|
|
+that the rule applies to. If you assign more jobs to the group, they are
|
|
|
+included the next time the rule conditions are checked.
|
|
|
|
|
|
You can also use a special character (`*`) to apply the rule to all your jobs.
|
|
|
Jobs created after the rule are automatically included. You can exclude jobs
|
|
|
@@ -131,7 +132,8 @@ _Errors in job messages_::
|
|
|
that occur after the rule is created; it does not look at historic behavior.
|
|
|
|
|
|
[role="screenshot"]
|
|
|
-image::images/ml-health-check-config.jpg["Selecting health checkers"]
|
|
|
+image::images/ml-health-check-config.png["Selecting health checkers",500]
|
|
|
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
|
|
|
|
|
|
As the last step in the rule creation process,
|
|
|
<<defining-actions, define the actions>> that occur when the conditions
|
|
|
@@ -141,43 +143,35 @@ are met.
|
|
|
[[defining-actions]]
|
|
|
== Defining actions
|
|
|
|
|
|
-Connect your rule to actions that use supported built-in integrations by
|
|
|
-selecting a connector type. Connectors are {kib} services or third-party
|
|
|
-integrations that perform an action when the rule conditions are met or the
|
|
|
-alert is recovered. You can select in which case the action will run.
|
|
|
-
|
|
|
-[role="screenshot"]
|
|
|
-image::images/ml-anomaly-alert-actions.jpg["Selecting connector type"]
|
|
|
-
|
|
|
-For example, you can choose _Slack_ as a connector type and configure it to send
|
|
|
-a message to a channel you selected. You can also create an index connector that
|
|
|
-writes the JSON object you configure to a specific index. It's also possible to
|
|
|
-customize the notification messages. A list of variables is available to include
|
|
|
-in the message, like job ID, anomaly score, time, top influencers, {dfeed} ID,
|
|
|
-memory status and so on based on the selected rule type. Refer to
|
|
|
-<<action-variables>> to see the full list of available variables by rule type.
|
|
|
+Your rule can use connectors, which are {kib} services or supported third-party
|
|
|
+integrations that run actions when the rule conditions are met or when the
|
|
|
+alert is recovered. For details about creating connectors, refer to
|
|
|
+{kibana-ref}/action-types.html[Connectors].
|
|
|
|
|
|
+For example, you can use a Slack connector to send a message to a channel. Or
|
|
|
+you can use an index connector that writes an JSON object to a specific index.
|
|
|
+It's also possible to customize the notification messages. There is a set of
|
|
|
+variables that you can include in the message depending on the rule type; refer
|
|
|
+to <<action-variables>>.
|
|
|
|
|
|
[role="screenshot"]
|
|
|
-image::images/ml-anomaly-alert-messages.jpg["Customizing your message"]
|
|
|
-
|
|
|
-After you save the configurations, the rule appears in the *{alerts-ui}* list
|
|
|
-where you can check its status and see the overview of its configuration
|
|
|
-information.
|
|
|
+image::images/ml-anomaly-alert-messages.png["Customizing your message",500]
|
|
|
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
|
|
|
|
|
|
-The name of an alert is always the same as the job ID of the associated
|
|
|
-{anomaly-job} that triggered it. You can mute the notifications for a particular
|
|
|
-{anomaly-job} on the page of the rule that lists the individual alerts. You can
|
|
|
-open it via *{alerts-ui}* by selecting the rule name.
|
|
|
+After you save the configurations, the rule appears in the
|
|
|
+*{stack-manage-app} > {rules-ui}* list; you can check its status and see the
|
|
|
+overview of its configuration information.
|
|
|
|
|
|
+When an alert occurs, it is always the same name as the job ID of the associated
|
|
|
+{anomaly-job} that triggered it. If necessary, you can snooze rules to prevent
|
|
|
+them from generating actions. For more details, refer to
|
|
|
+{kibana-ref}/create-and-manage-rules.html#controlling-rules[Snooze and disable rules].
|
|
|
|
|
|
[[action-variables]]
|
|
|
== Action variables
|
|
|
|
|
|
-You can add different variables to your action. The following variables are
|
|
|
-specific to the {ml} rule types. An `*` marks the variables that can be used for
|
|
|
-actions of recovered alerts.
|
|
|
-
|
|
|
+The following variables are specific to the {ml} rule types. An asterisk (`*`)
|
|
|
+marks the variables that you can use in actions related to recovered alerts.
|
|
|
|
|
|
[[anomaly-alert-action-variables]]
|
|
|
=== {anomaly-detect-cap} alert action variables
|
Lisa Cawley
