Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 401d302c69
Branches Tags
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
apis
/
get-overall-buckets.asciidoc

get-overall-buckets.asciidoc 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. [role="xpack"]
    2. 

  2. [testenv="platinum"]
    3. 

  3. [[ml-get-overall-buckets]]
    4. 

  4. = Get overall buckets API
    5. 

  5. ++++
    6. 

  6. <titleabbrev>Get overall buckets</titleabbrev>
    7. 

  7. ++++
    8. 

  8. 

  9. Retrieves overall bucket results that summarize the bucket results of multiple
    10. 

  10. {anomaly-jobs}.
    11. 

  11. 

  12. [[ml-get-overall-buckets-request]]
    13. 

  13. == {api-request-title}
    14. 

  14. 

  15. `GET _ml/anomaly_detectors/<job_id>/results/overall_buckets` +
    16. 

  16. 

  17. `GET _ml/anomaly_detectors/<job_id>,<job_id>/results/overall_buckets` +
    18. 

  18. 

  19. `GET _ml/anomaly_detectors/_all/results/overall_buckets`
    20. 

  20. 

  21. [[ml-get-overall-buckets-prereqs]]
    22. 

  22. == {api-prereq-title}
    23. 

  23. 

  24. * If the {es} {security-features} are enabled, you must have `monitor_ml`,
    25. 

  25. `monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also
    26. 

  26. need `read` index privilege on the index that stores the results. The
    27. 

  27. `machine_learning_admin` and `machine_learning_user` roles provide these
    28. 

  28. privileges. See <<security-privileges>>, <<built-in-roles>>, and
    29. 

  29. {ml-docs-setup-privileges}.
    30. 

  30. 

  31. [[ml-get-overall-buckets-desc]]
    32. 

  32. == {api-description-title}
    33. 

  33. 

  34. You can summarize the bucket results for all {anomaly-jobs} by using `_all` or
    35. 

  35. by specifying `*` as the `<job_id>`.
    36. 

  36. 

  37. By default, an overall bucket has a span equal to the largest bucket span of the
    38. 

  38. specified {anomaly-jobs}. To override that behavior, use the optional
    39. 

  39. `bucket_span` parameter. To learn more about the concept of buckets, see
    40. 

  40. {ml-docs}/ml-buckets.html[Buckets].
    41. 

  41. 

  42. The `overall_score` is calculated by combining the scores of all the buckets
    43. 

  43. within the overall bucket span. First, the maximum `anomaly_score` per
    44. 

  44. {anomaly-job} in the overall bucket is calculated. Then the `top_n` of those
    45. 

  45. scores are averaged to result in the `overall_score`. This means that you can
    46. 

  46. fine-tune the `overall_score` so that it is more or less sensitive to the number
    47. 

  47. of jobs that detect an anomaly at the same time. For example, if you set `top_n`
    48. 

  48. to `1`, the `overall_score` is the maximum bucket score in the overall bucket.
    49. 

  49. Alternatively, if you set `top_n` to the number of jobs, the `overall_score` is
    50. 

  50. high only when all jobs detect anomalies in that overall bucket.  If you set
    51. 

  51. the `bucket_span` parameter (to a value greater than its default), the
    52. 

  52. `overall_score` is the maximum `overall_score` of the overall buckets that have
    53. 

  53. a span equal to the jobs' largest bucket span.
    54. 

  54. 

  55. [[ml-get-overall-buckets-path-parms]]
    56. 

  56. == {api-path-parms-title}
    57. 

  57. 

  58. `<job_id>`::
    59. 

  59. (Required, string)
    60. 

  60. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection-wildcard-list]
    61. 

  61. 

  62. [[ml-get-overall-buckets-request-body]]
    63. 

  63. == {api-request-body-title}
    64. 

  64. 

  65. `allow_no_match`::
    66. 

  66. (Optional, Boolean)
    67. 

  67. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=allow-no-jobs]
    68. 

  68. 

  69. `bucket_span`::
    70. 

  70. (Optional, string) The span of the overall buckets. Must be greater or equal to
    71. 

  71. the largest bucket span of the specified {anomaly-jobs}, which is the default
    72. 

  72. value.
    73. 

  73. 

  74. `end`::
    75. 

  75. (Optional, string) Returns overall buckets with timestamps earlier than this
    76. 

  76. time.
    77. 

  77. 

  78. `exclude_interim`::
    79. 

  79. (Optional, Boolean) If `true`, the output excludes interim overall buckets.
    80. 

  80. Overall buckets are interim if any of the job buckets within the overall bucket
    81. 

  81. interval are interim. By default, interim results are included.
    82. 

  82. 

  83. `overall_score`::
    84. 

  84. (Optional, double) Returns overall buckets with overall scores greater or equal
    85. 

  85. than this value.
    86. 

  86. 

  87. `start`::
    88. 

  88. (Optional, string) Returns overall buckets with timestamps after this time.
    89. 

  89. 

  90. `top_n`::
    91. 

  91. (Optional, integer) The number of top {anomaly-job} bucket scores to be used in
    92. 

  92. the `overall_score` calculation. The default value is `1`.
    93. 

  93. 

  94. [[ml-get-overall-buckets-results]]
    95. 

  95. == {api-response-body-title}
    96. 

  96. 

  97. The API returns an array of overall bucket objects, which have the following
    98. 

  98. properties:
    99. 

  99. 

  100. `bucket_span`::
    101. 

  101. (number) The length of the bucket in seconds. Matches the `bucket_span`
    102. 

  102. of the job with the longest one.
    103. 

  103. 

  104. `is_interim`::
    105. 

  105. (Boolean)
    106. 

  106. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim]
    107. 

  107. 

  108. `jobs`::
    109. 

  109. (array) An array of objects that contain the `max_anomaly_score` per `job_id`.
    110. 

  110. 

  111. `overall_score`::
    112. 

  112. (number) The `top_n` average of the max bucket `anomaly_score` per job.
    113. 

  113. 

  114. `result_type`::
    115. 

  115. (string) Internal. This is always set to `overall_bucket`.
    116. 

  116. 

  117. `timestamp`::
    118. 

  118. (date)
    119. 

  119. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results]
    120. 

  120. 

  121. [[ml-get-overall-buckets-example]]
    122. 

  122. == {api-examples-title}
    123. 

  123. 

  124. [source,console]
    125. 

  125. --------------------------------------------------
    126. 

  126. GET _ml/anomaly_detectors/job-*/results/overall_buckets
    127. 

  127. {
    128. 

  128.   "overall_score": 80,
    129. 

  129.   "start": "1403532000000"
    130. 

  130. }
    131. 

  131. --------------------------------------------------
    132. 

  132. // TEST[skip:todo]
    133. 

  133. 

  134. In this example, the API returns a single result that matches the specified
    135. 

  135. score and time constraints. The `overall_score` is the max job score as
    136. 

  136. `top_n` defaults to 1 when not specified:
    137. 

  137. [source,js]
    138. 

  138. ----
    139. 

  139. {
    140. 

  140.   "count": 1,
    141. 

  141.   "overall_buckets": [
    142. 

  142.     {
    143. 

  143.       "timestamp" : 1403532000000,
    144. 

  144.       "bucket_span" : 3600,
    145. 

  145.       "overall_score" : 80.0,
    146. 

  146.       "jobs" : [
    147. 

  147.         {
    148. 

  148.           "job_id" : "job-1",
    149. 

  149.           "max_anomaly_score" : 30.0
    150. 

  150.         },
    151. 

  151.         {
    152. 

  152.           "job_id" : "job-2",
    153. 

  153.           "max_anomaly_score" : 10.0
    154. 

  154.         },
    155. 

  155.         {
    156. 

  156.           "job_id" : "job-3",
    157. 

  157.           "max_anomaly_score" : 80.0
    158. 

  158.         }
    159. 

  159.       ],
    160. 

  160.       "is_interim" : false,
    161. 

  161.       "result_type" : "overall_bucket"
    162. 

  162.     }
    163. 

  163.   ]
    164. 

  164. }
    165. 

  165. ----
    166. 

  166. 

  167. The next example is similar but this time `top_n` is set to `2`:
    168. 

  168. 

  169. [source,console]
    170. 

  170. --------------------------------------------------
    171. 

  171. GET _ml/anomaly_detectors/job-*/results/overall_buckets
    172. 

  172. {
    173. 

  173.   "top_n": 2,
    174. 

  174.   "overall_score": 50.0,
    175. 

  175.   "start": "1403532000000"
    176. 

  176. }
    177. 

  177. --------------------------------------------------
    178. 

  178. // TEST[skip:todo]
    179. 

  179. 

  180. Note how the `overall_score` is now the average of the top 2 job scores:
    181. 

  181. [source,js]
    182. 

  182. ----
    183. 

  183. {
    184. 

  184.   "count": 1,
    185. 

  185.   "overall_buckets": [
    186. 

  186.     {
    187. 

  187.       "timestamp" : 1403532000000,
    188. 

  188.       "bucket_span" : 3600,
    189. 

  189.       "overall_score" : 55.0,
    190. 

  190.       "jobs" : [
    191. 

  191.         {
    192. 

  192.           "job_id" : "job-1",
    193. 

  193.           "max_anomaly_score" : 30.0
    194. 

  194.         },
    195. 

  195.         {
    196. 

  196.           "job_id" : "job-2",
    197. 

  197.           "max_anomaly_score" : 10.0
    198. 

  198.         },
    199. 

  199.         {
    200. 

  200.           "job_id" : "job-3",
    201. 

  201.           "max_anomaly_score" : 80.0
    202. 

  202.         }
    203. 

  203.       ],
    204. 

  204.       "is_interim" : false,
    205. 

  205.       "result_type" : "overall_bucket"
    206. 

  206.     }
    207. 

  207.   ]
    208. 

  208. }
    209. 

  209. ----
    210.