Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 458ef91066
Branches Tags
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
apis
/
get-category.asciidoc

get-category.asciidoc 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 
  1. [role="xpack"]
    2. 

  2. [[ml-get-category]]
    3. 

  3. = Get categories API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Get categories</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Retrieves {anomaly-job} results for one or more categories.
    9. 

  9. 

  10. [[ml-get-category-request]]
    11. 

  11. == {api-request-title}
    12. 

  12. 

  13. `GET _ml/anomaly_detectors/<job_id>/results/categories` +
    14. 

  14. 

  15. `GET _ml/anomaly_detectors/<job_id>/results/categories/<category_id>`
    16. 

  16. 

  17. [[ml-get-category-prereqs]]
    18. 

  18. == {api-prereq-title}
    19. 

  19. 

  20. Requires the `monitor_ml` cluster privilege. This privilege is included in the 
    21. 

  21. `machine_learning_user` built-in role.
    22. 

  22. 

  23. [[ml-get-category-desc]]
    24. 

  24. == {api-description-title}
    25. 

  25. 

  26. When `categorization_field_name` is specified in the job configuration, it is
    27. 

  27. possible to view the definitions of the resulting categories. A category
    28. 

  28. definition describes the common terms matched and contains examples of matched
    29. 

  29. values.
    30. 

  30. 

  31. The anomaly results from a categorization analysis are available as bucket,
    32. 

  32. influencer, and record results. For example, the results might indicate that
    33. 

  33. at 16:45 there was an unusual count of log message category 11. You can then
    34. 

  34. examine the description and examples of that category. For more information, see
    35. 

  35. {ml-docs}/ml-configuring-categories.html[Categorizing log messages].
    36. 

  36. 

  37. [[ml-get-category-path-parms]]
    38. 

  38. == {api-path-parms-title}
    39. 

  39. 

  40. `<job_id>`::
    41. 

  41. (Required, string)
    42. 

  42. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
    43. 

  43. 

  44. `<category_id>`::
    45. 

  45. (Optional, long) Identifier for the category, which is unique in the job. If you
    46. 

  46. specify neither the category ID nor the `partition_field_value`, the API returns
    47. 

  47. information about all categories. If you specify only the
    48. 

  48. `partition_field_value`, it returns information about all categories for the
    49. 

  49. specified partition.
    50. 

  50. 

  51. [[ml-get-category-query-parms]]
    52. 

  52. == {api-query-parms-title}
    53. 

  53. 

  54. `from`::
    55. 

  55. (Optional, integer) Skips the specified number of categories. Defaults to `0`.
    56. 

  56. 

  57. `partition_field_value`::
    58. 

  58. (Optional, string) Only return categories for the specified partition.
    59. 

  59. 

  60. `size`::
    61. 

  61. (Optional, integer) Specifies the maximum number of categories to obtain. 
    62. 

  62. Defaults to `100`.
    63. 

  63. 

  64. 

  65. [[ml-get-category-request-body]]
    66. 

  66. == {api-request-body-title}
    67. 

  67. 

  68. You can also specify the `partition_field_value` query parameter in the
    69. 

  69. request body.
    70. 

  70. 

  71. `page`::
    72. 

  72. +
    73. 

  73. .Properties of `page`
    74. 

  74. [%collapsible%open]
    75. 

  75. ====
    76. 

  76. 

  77. `from`:::
    78. 

  78. (Optional, integer) Skips the specified number of categories. Defaults to `0`.
    79. 

  79. 

  80. `size`:::
    81. 

  81. (Optional, integer) Specifies the maximum number of categories to obtain. 
    82. 

  82. Defaults to `100`.
    83. 

  83. ====
    84. 

  84. 

  85. [[ml-get-category-results]]
    86. 

  86. == {api-response-body-title}
    87. 

  87. 

  88. The API returns an array of category objects, which have the following properties:
    89. 

  89. 

  90. `category_id`::
    91. 

  91. (unsigned integer) A unique identifier for the category. `category_id` is unique
    92. 

  92. at the job level, even when per-partition categorization is enabled.
    93. 

  93. 

  94. 

  95. `examples`::
    96. 

  96. (array) A list of examples of actual values that matched the category.
    97. 

  97. 

  98. `grok_pattern`::
    99. 

  99. experimental[] (string) A Grok pattern that could be used in {ls} or an ingest 
    100. 

  100. pipeline to extract fields from messages that match the category. This field is
    101. 

  101. experimental and may be changed or removed in a future release. The Grok
    102. 

  102. patterns that are found are not optimal, but are often a good starting point for
    103. 

  103. manual tweaking.
    104. 

  104. 

  105. `job_id`::
    106. 

  106. (string)
    107. 

  107. include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
    108. 

  108. 

  109. `max_matching_length`::
    110. 

  110. (unsigned integer) The maximum length of the fields that matched the category.
    111. 

  111. The value is increased by 10% to enable matching for similar fields that have
    112. 

  112. not been analyzed.
    113. 

  113. 

  114. // This doesn't use the shared description because there are
    115. 

  115. // categorization-specific aspects to its use in this context
    116. 

  116. `partition_field_name`::
    117. 

  117. (string) If per-partition categorization is enabled, this property identifies
    118. 

  118. the field used to segment the categorization. It is not present when
    119. 

  119. per-partition categorization is disabled.
    120. 

  120. 

  121. `partition_field_value`::
    122. 

  122. (string) If per-partition categorization is enabled, this property identifies
    123. 

  123. the value of the `partition_field_name` for the category. It is not present when
    124. 

  124. per-partition categorization is disabled.
    125. 

  125. 

  126. `regex`::
    127. 

  127. (string) A regular expression that is used to search for values that match the
    128. 

  128. category.
    129. 

  129. 

  130. `terms`::
    131. 

  131. (string) A space separated list of the common tokens that are matched in values
    132. 

  132. of the category.
    133. 

  133. 

  134. `num_matches`::
    135. 

  135. (long) The number of messages that have been matched by this category. This is
    136. 

  136. only guaranteed to have the latest accurate count after a job `_flush` or `_close`
    137. 

  137. 

  138. `preferred_to_categories`::
    139. 

  139. (list) A list of `category_id` entries that this current category encompasses.
    140. 

  140. Any new message that is processed by the categorizer will match against this
    141. 

  141. category and not any of the categories in this list. This is only guaranteed
    142. 

  142. to have the latest accurate list of categories after a job `_flush` or `_close`
    143. 

  143. 

  144. [[ml-get-category-example]]
    145. 

  145. == {api-examples-title}
    146. 

  146. 

  147. [source,console]
    148. 

  148. --------------------------------------------------
    149. 

  149. GET _ml/anomaly_detectors/esxi_log/results/categories
    150. 

  150. {
    151. 

  151.   "page":{
    152. 

  152.     "size": 1
    153. 

  153.   }
    154. 

  154. }
    155. 

  155. --------------------------------------------------
    156. 

  156. // TEST[skip:todo]
    157. 

  157. 

  158. [source,js]
    159. 

  159. ----
    160. 

  160. {
    161. 

  161.   "count": 11,
    162. 

  162.   "categories": [
    163. 

  163.     {
    164. 

  164.       "job_id" : "esxi_log",
    165. 

  165.       "category_id" : 1,
    166. 

  166.       "terms" : "Vpxa verbose vpxavpxaInvtVm opID VpxaInvtVmChangeListener Guest DiskInfo Changed",
    167. 

  167.       "regex" : ".*?Vpxa.+?verbose.+?vpxavpxaInvtVm.+?opID.+?VpxaInvtVmChangeListener.+?Guest.+?DiskInfo.+?Changed.*",
    168. 

  168.       "max_matching_length": 154,
    169. 

  169.       "examples" : [
    170. 

  170.         "Oct 19 17:04:44 esxi1.acme.com Vpxa: [3CB3FB90 verbose 'vpxavpxaInvtVm' opID=WFU-33d82c31] [VpxaInvtVmChangeListener] Guest DiskInfo Changed",
    171. 

  171.         "Oct 19 17:04:45 esxi2.acme.com Vpxa: [3CA66B90 verbose 'vpxavpxaInvtVm' opID=WFU-33927856] [VpxaInvtVmChangeListener] Guest DiskInfo Changed",
    172. 

  172.         "Oct 19 17:04:51 esxi1.acme.com Vpxa: [FFDBAB90 verbose 'vpxavpxaInvtVm' opID=WFU-25e0d447] [VpxaInvtVmChangeListener] Guest DiskInfo Changed",
    173. 

  173.         "Oct 19 17:04:58 esxi2.acme.com Vpxa: [FFDDBB90 verbose 'vpxavpxaInvtVm' opID=WFU-bbff0134] [VpxaInvtVmChangeListener] Guest DiskInfo Changed"
    174. 

  174.       ],
    175. 

  175.       "grok_pattern" : ".*?%{SYSLOGTIMESTAMP:timestamp}.+?Vpxa.+?%{BASE16NUM:field}.+?verbose.+?vpxavpxaInvtVm.+?opID.+?VpxaInvtVmChangeListener.+?Guest.+?DiskInfo.+?Changed.*"
    176. 

  176.     }
    177. 

  177.   ]
    178. 

  178. }
    179. 

  179. ----
    180.