Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6501338a9e
Branches Tags
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
functions.asciidoc

functions.asciidoc 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. [role="xpack"]
    2. 

  2. [[ml-functions]]
    3. 

  3. == Function reference
    4. 

  4. 

  5. The {ml-features} include analysis functions that provide a wide variety of
    6. 

  6. flexible ways to analyze data for anomalies.
    7. 

  7. 

  8. When you create {anomaly-jobs}, you specify one or more detectors, which define
    9. 

  9. the type of analysis that needs to be done. If you are creating your job by
    10. 

  10. using {ml} APIs, you specify the functions in detector configuration objects.
    11. 

  11. If you are creating your job in {kib}, you specify the functions differently
    12. 

  12. depending on whether you are creating single metric, multi-metric, or advanced
    13. 

  13. jobs.
    14. 

  14. //For a demonstration of creating jobs in {kib}, see <<ml-getting-started>>.
    15. 

  15. 

  16. Most functions detect anomalies in both low and high values. In statistical
    17. 

  17. terminology, they apply a two-sided test. Some functions offer low and high
    18. 

  18. variations (for example, `count`, `low_count`, and `high_count`). These variations
    19. 

  19. apply one-sided tests, detecting anomalies only when the values are low or
    20. 

  20. high, depending one which alternative is used.
    21. 

  21. 

  22. You can specify a `summary_count_field_name` with any function except `metric`.
    23. 

  23. When you use `summary_count_field_name`, the {ml} features expect the input
    24. 

  24. data to be pre-aggregated. The value of the `summary_count_field_name` field
    25. 

  25. must contain the count of raw events that were summarized. In {kib}, use the
    26. 

  26. **summary_count_field_name** in advanced {anomaly-jobs}. Analyzing aggregated
    27. 

  27. input data provides a significant boost in performance. For more information, see
    28. 

  28. <<ml-configuring-aggregation>>.
    29. 

  29. 

  30. If your data is sparse, there may be gaps in the data which means you might have
    31. 

  31. empty buckets. You might want to treat these as anomalies or you might want these
    32. 

  32. gaps to be ignored. Your decision depends on your use case and what is important
    33. 

  33. to you. It also depends on which functions you use. The `sum` and `count`
    34. 

  34. functions are strongly affected by empty buckets. For this reason, there are
    35. 

  35. `non_null_sum` and `non_zero_count` functions, which are tolerant to sparse data.
    36. 

  36. These functions effectively ignore empty buckets.
    37. 

  37. 

  38. * <<ml-count-functions>>
    39. 

  39. * <<ml-geo-functions>>
    40. 

  40. * <<ml-info-functions>>
    41. 

  41. * <<ml-metric-functions>>
    42. 

  42. * <<ml-rare-functions>>
    43. 

  43. * <<ml-sum-functions>>
    44. 

  44. * <<ml-time-functions>>
    45. 

  45. 

  46. include::functions/count.asciidoc[]
    47. 

  47. 

  48. include::functions/geo.asciidoc[]
    49. 

  49. 

  50. include::functions/info.asciidoc[]
    51. 

  51. 

  52. include::functions/metric.asciidoc[]
    53. 

  53. 

  54. include::functions/rare.asciidoc[]
    55. 

  55. 

  56. include::functions/sum.asciidoc[]
    57. 

  57. 

  58. include::functions/time.asciidoc[]
    59.