lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
							[role="xpack"]
[testenv="platinum"]
[[ml-get-influencer]]
= Get influencers API
++++
<titleabbrev>Get influencers</titleabbrev>
++++

Retrieves {anomaly-job} results for one or more influencers.

[[ml-get-influencer-request]]
== {api-request-title}

`GET _ml/anomaly_detectors/<job_id>/results/influencers`

[[ml-get-influencer-prereqs]]
== {api-prereq-title}

* If the {es} {security-features} are enabled, you must have `monitor_ml`,
`monitor`, `manage_ml`, or `manage` cluster privileges to use this API. You also
need `read` index privilege on the index that stores the results. The
`machine_learning_admin` and `machine_learning_user` roles provide these
privileges. See <<security-privileges>> and
<<built-in-roles>>.

[[ml-get-influencer-desc]]
== {api-description-title}

Influencers are the entities that have contributed to, or are to blame for,
the anomalies. Influencer results are available only if an
`influencer_field_name` is specified in the job configuration.

[[ml-get-influencer-path-parms]]
== {api-path-parms-title}

`<job_id>`::
(Required, string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]

[[ml-get-influencer-request-body]]
== {api-request-body-title}

`desc`::
(Optional, boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=desc-results]

`end`::
(Optional, string) Returns influencers with timestamps earlier than this time.

`exclude_interim`::
(Optional, boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=exclude-interim-results]

`influencer_score`::
(Optional, double) Returns influencers with anomaly scores greater than or
equal to this value.

`page`.`from`::
(Optional, integer) Skips the specified number of influencers.
`page`.`size`::
(Optional, integer) Specifies the maximum number of influencers to obtain.

`sort`::
(Optional, string) Specifies the sort field for the requested influencers. By
default, the influencers are sorted by the `influencer_score` value.

`start`::
(Optional, string) Returns influencers with timestamps after this time.

[[ml-get-influencer-results]]
== {api-response-body-title}

The API returns an array of influencer objects, which have the following
properties:

`bucket_span`::
(number)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=bucket-span-results]

`influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer in this bucket aggregated across detectors. Unlike
`initial_influencer_score`, this value will be updated by a re-normalization
process as new data is analyzed.

`influencer_field_name`::
(string) The field name of the influencer.

`influencer_field_value`::
(string) The entity that influenced, contributed to, or was to blame for the
anomaly.

`initial_influencer_score`::
(number) A normalized score between 0-100, which is based on the probability of
the influencer aggregated across detectors. This is the initial value that was
calculated at the time the bucket was processed.

`is_interim`::
(boolean)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=is-interim]

`job_id`::
(string)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]

`probability`::
(number) The probability that the influencer has this behavior, in the range 0
to 1. For example, 0.0000109783. This value can be held to a high precision of
over 300 decimal places, so the `influencer_score` is provided as a
human-readable and friendly interpretation of this.

`result_type`::
(string) Internal. This value is always set to `influencer`.

`timestamp`::
(date)
include::{es-repo-dir}/ml/ml-shared.asciidoc[tag=timestamp-results]

NOTE: Additional influencer properties are added, depending on the fields being
analyzed. For example, if it's analyzing `user_name` as an influencer, then a
field `user_name` is added to the result document. This information enables you to
filter the anomaly results more easily.

[[ml-get-influencer-example]]
== {api-examples-title}

[source,console]
--------------------------------------------------
GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers
{
  "sort": "influencer_score",
  "desc": true
}
--------------------------------------------------
// TEST[skip:Kibana sample data]

In this example, the API returns the following information, sorted based on the
influencer score in descending order:
[source,js]
----
{
  "count": 189,
  "influencers": [
    {
      "job_id": "high_sum_total_sales",
      "result_type": "influencer",
      "influencer_field_name": "customer_full_name.keyword",
      "influencer_field_value": "Wagdi Shaw",
      "customer_full_name.keyword" : "Wagdi Shaw",
      "influencer_score": 99.02493,
      "initial_influencer_score" : 94.67233079580171,
      "probability" : 1.4784807245686567E-10,
      "bucket_span" : 3600,
      "is_interim" : false,
      "timestamp" : 1574661600000
    },
  ...
  ]
}
----