lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184
							[role="xpack"]
[[ml-get-influencer]]
= Get influencers API
++++
<titleabbrev>Get influencers</titleabbrev>
++++

Retrieves {anomaly-job} results for one or more influencers.

[[ml-get-influencer-request]]
== {api-request-title}

`GET _ml/anomaly_detectors/<job_id>/results/influencers`

[[ml-get-influencer-prereqs]]
== {api-prereq-title}

Requires the `monitor_ml` cluster privilege. This privilege is included in the 
`machine_learning_user` built-in role.`

[[ml-get-influencer-desc]]
== {api-description-title}

Influencers are the entities that have contributed to, or are to blame for,
the anomalies. Influencer results are available only if an
`influencer_field_name` is specified in the job configuration.

[[ml-get-influencer-path-parms]]
== {api-path-parms-title}

`<job_id>`::
(Required, string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]


[[ml-get-influencer-query-parms]]
== {api-query-parms-title}

`desc`::
(Optional, Boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=desc-results]

`end`::
(Optional, string) Returns influencers with timestamps earlier than this time.
Defaults to `-1`, which means it is unset and results are not limited to 
specific timestamps.

`exclude_interim`::
(Optional, Boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=exclude-interim-results]

`from`::
(Optional, integer)
Skips the specified number of influencers. Defaults to `0`.

`influencer_score`::
(Optional, double) Returns influencers with anomaly scores greater than or
equal to this value. Defaults to `0.0`.

`size`::
(Optional, integer)
Specifies the maximum number of influencers to obtain. Defaults to `100`.

`sort`::
(Optional, string) Specifies the sort field for the requested influencers. By
default, the influencers are sorted by the `influencer_score` value.

`start`::
(Optional, string) Returns influencers with timestamps after this time. Defaults 
to `-1`, which means it is unset and results are not limited to specific 
timestamps.


[[ml-get-influencer-request-body]]
== {api-request-body-title}

You can also specify the query parameters in the request body; the exception are
`from` and `size`, use `page` instead:

`page`::
+
.Properties of `page`
[%collapsible%open]
====

`from`:::
(Optional, integer) Skips the specified number of influencers. Defaults to `0`.

`size`:::
(Optional, integer) Specifies the maximum number of influencers to obtain. 
Defaults to `100`.
====

[[ml-get-influencer-results]]
== {api-response-body-title}

The API returns an array of influencer objects, which have the following
properties:

`bucket_span`::
(number)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=bucket-span-results]

`influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer in this bucket aggregated across detectors. Unlike
`initial_influencer_score`, this value will be updated by a re-normalization
process as new data is analyzed.

`influencer_field_name`::
(string) The field name of the influencer.

`influencer_field_value`::
(string) The entity that influenced, contributed to, or was to blame for the
anomaly.

`initial_influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer aggregated across detectors. This is the initial value that was
calculated at the time the bucket was processed.

`is_interim`::
(Boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim]

`job_id`::
(string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]

`probability`::
(number) The probability that the influencer has this behavior, in the range 0
to 1. For example, 0.0000109783. This value can be held to a high precision of
over 300 decimal places, so the `influencer_score` is provided as a
human-readable and friendly interpretation of this.

`result_type`::
(string) Internal. This value is always set to `influencer`.

`timestamp`::
(date)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results]

NOTE: Additional influencer properties are added, depending on the fields being
analyzed. For example, if it's analyzing `user_name` as an influencer, then a
field `user_name` is added to the result document. This information enables you to
filter the anomaly results more easily.

[[ml-get-influencer-example]]
== {api-examples-title}

[source,console]
--------------------------------------------------
GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers
{
  "sort": "influencer_score",
  "desc": true
}
--------------------------------------------------
// TEST[skip:Kibana sample data]

In this example, the API returns the following information, sorted based on the
influencer score in descending order:
[source,js]
----
{
  "count": 189,
  "influencers": [
    {
      "job_id": "high_sum_total_sales",
      "result_type": "influencer",
      "influencer_field_name": "customer_full_name.keyword",
      "influencer_field_value": "Wagdi Shaw",
      "customer_full_name.keyword" : "Wagdi Shaw",
      "influencer_score": 99.02493,
      "initial_influencer_score" : 94.67233079580171,
      "probability" : 1.4784807245686567E-10,
      "bucket_span" : 3600,
      "is_interim" : false,
      "timestamp" : 1574661600000
    },
  ...
  ]
}
----