Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1cfa86ee13
Branches Tags
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
ml-delayed-data-detection.asciidoc

ml-delayed-data-detection.asciidoc 4.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. [role="xpack"]
    2. 

  2. [[ml-delayed-data-detection]]
    3. 

  3. = Handling delayed data
    4. 

  4. 

  5. Delayed data are documents that are indexed late. That is to say, it is data 
    6. 

  6. related to a time that your {dfeed} has already processed and it is therefore
    7. 

  7. never analyzed by your {anomaly-job}.
    8. 

  8. 

  9. When you create a {dfeed}, you can specify a
    10. 

  10. {ref}/ml-put-datafeed.html#ml-put-datafeed-request-body[`query_delay`] setting.
    11. 

  11. This setting enables the {dfeed} to wait for some time past real-time, which
    12. 

  12. means any "late" data in this period is fully indexed before the {dfeed} tries
    13. 

  13. to gather it. However, if the setting is set too low, the {dfeed} may query for
    14. 

  14. data before it has been indexed and consequently miss that document. Conversely,
    15. 

  15. if it is set too high, analysis drifts farther away from real-time. The balance
    16. 

  16. that is struck depends upon each use case and the environmental factors of the
    17. 

  17. cluster.
    18. 

  18. 

  19. IMPORTANT: If you get an error that says
    20. 

  20. `Datafeed missed XXXX documents due to ingest latency`, consider increasing 
    21. 

  21. the value of `query_delay'. If it doesn't help, investigate the ingest latency and its 
    22. 

  22. cause. You can do this by comparing event and ingest timestamps. High latency 
    23. 

  23. is often caused by bursts of ingested documents, misconfiguration of the ingest 
    24. 

  24. pipeline, or misalignment of system clocks.
    25. 

  25. 

  26. == Why worry about delayed data?
    27. 

  27. 

  28. If data are delayed randomly (and consequently are missing from analysis), the
    29. 

  29. results of certain types of functions are not really affected. In these
    30. 

  30. situations, it all comes out okay in the end as the delayed data is distributed
    31. 

  31. randomly. An example would be a `mean` metric for a field in a large collection
    32. 

  32. of data. In this case, checking for delayed data may not provide much benefit.
    33. 

  33. If data are consistently delayed, however, {anomaly-jobs} with a `low_count`
    34. 

  34. function may provide false positives. In this situation, it would be useful to
    35. 

  35. see if data comes in after an anomaly is recorded so that you can determine a
    36. 

  36. next course of action.
    37. 

  37. 

  38. == How do we detect delayed data?
    39. 

  39. 

  40. In addition to the `query_delay` field, there is a delayed data check config,
    41. 

  41. which enables you to configure the datafeed to look in the past for delayed data.
    42. 

  42. Every 15 minutes or every `check_window`, whichever is smaller, the datafeed
    43. 

  43. triggers a document search over the configured indices. This search looks over a
    44. 

  44. time span with a length of `check_window` ending with the latest finalized bucket.
    45. 

  45. That time span is partitioned into buckets, whose length equals the bucket span
    46. 

  46. of the associated {anomaly-job}. The `doc_count` of those buckets are then
    47. 

  47. compared with the job's finalized analysis buckets to see whether any data has
    48. 

  48. arrived since the analysis. If there is indeed missing data due to their ingest
    49. 

  49. delay, the end user is notified. For example, you can see annotations in {kib}
    50. 

  50. for the periods where these delays occur:
    51. 

  51. 

  52. [role="screenshot"]
    53. 

  53. image::images/ml-annotations.png["Delayed data annotations in the Single Metric Viewer"]
    54. 

  54. 

  55. [IMPORTANT]
    56. 

  56. ====
    57. 

  57. As the `doc_count` from an aggregation is compared with the
    58. 

  58. bucket results of the job, the delayed data check will not work correctly in the
    59. 

  59. following cases:
    60. 

  60. 

  61. * if the datafeed uses aggregations and the job's `analysis_config` does not have its
    62. 

  62. `summary_count_field_name` set to `doc_count`,
    63. 

  63. * if the datafeed is _not_ using aggregations and `summary_count_field_name` is set to
    64. 

  64. any value.
    65. 

  65. 

  66. If the datafeed is using aggregations then it's highly likely that the job's
    67. 

  67. `summary_count_field_name` should be set to `doc_count`. If
    68. 

  68. `summary_count_field_name` is set to any value other than `doc_count`, the
    69. 

  69. delayed data check for the datafeed must be disabled.
    70. 

  70. ====
    71. 

  71. There is another tool for visualizing the delayed data on the *Annotations* tab
    72. 

  72. in the {anomaly-detect} job management page:
    73. 

  73. 

  74. [role="screenshot"]
    75. 

  75. image::images/ml-datafeed-chart.png["Delayed data in the {dfeed} chart"]
    76. 

  76. 

  77. == What to do about delayed data?
    78. 

  78. 

  79. The most common course of action is to simply to do nothing. For many functions
    80. 

  80. and situations, ignoring the data is acceptable. However, if the amount of
    81. 

  81. delayed data is too great or the situation calls for it, the next course of
    82. 

  82. action to consider is to increase the `query_delay` of the datafeed. This
    83. 

  83. increased delay allows more time for data to be indexed. If you have real-time
    84. 

  84. constraints, however, an increased delay might not be desirable. In which case,
    85. 

  85. you would have to {ref}/tune-for-indexing-speed.html[tune for better indexing speed]. 
    86.