Inicio Explorar Axuda
Iniciar sesión
lqb
/
elasticsearch
réplica de https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 9a8c6fb66f
Ramas Etiquetas
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
ml-configuring-alerts.asciidoc

ml-configuring-alerts.asciidoc 4.5 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. [role="xpack"]
    2. 

  2. [[ml-configuring-alerts]]
    3. 

  3. = Generating alerts for {anomaly-jobs}
    4. 

  4. 

  5. beta::[]
    6. 

  6. 

  7. {kib} {alert-features} include support for {ml} rules, which run scheduled 
    8. 

  8. checks on an {anomaly-job} or a group of jobs to detect anomalies with certain 
    9. 

  9. conditions. If an anomaly meets the conditions, an alert is created and the 
    10. 

  10. associated action is triggered. For example, you can create a rule to check an 
    11. 

  11. {anomaly-job} every fifteen minutes for critical anomalies and to notify you in 
    12. 

  12. an email. To learn more about {kib} {alert-features}, refer to 
    13. 

  13. {kibana-ref}/alerting-getting-started.html#alerting-getting-started[Alerting and Actions].
    14. 

  14. 

  15. 

  16. [[creating-anomaly-alert-rules]]
    17. 

  17. == Creating a rule
    18. 

  18. 

  19. You can create {ml} rules in the {anomaly-job} wizard after 
    20. 

  20. you start the job, from the job list, or under **{stack-manage-app} > 
    21. 

  21. {alerts-ui}**. On the *Create rule* window, select *{anomaly-detect-cap} alert* 
    22. 

  22. under the {ml} section, then give a name to the rule and optionally provide 
    23. 

  23. tags.
    24. 

  24. 

  25. Specify the time interval for the rule to check detected anomalies. It is 
    26. 

  26. recommended to select an interval that is close to the bucket span of the 
    27. 

  27. associated job. You can also select a notification option by using the _Notify_ 
    28. 

  28. selector. An alert remains active as long as anomalies are found for a 
    29. 

  29. particular {anomaly-job} during the check interval. When there is no anomaly 
    30. 

  30. found in the next interval, the `Recovered` action group is invoked and the 
    31. 

  31. status of the alert changes to `OK`. For more details, refer to the 
    32. 

  32. documentation of 
    33. 

  33. {kibana-ref}/defining-alerts.html#defining-alerts-general-details[general rule details].
    34. 

  34.   
    35. 

  35. [role="screenshot"]
    36. 

  36. image::images/ml-anomaly-alert-type.jpg["Creating a rule for an anomaly detection alert"]
    37. 

  37.   
    38. 

  38. Select the {anomaly-job} or the group of {anomaly-jobs} that is checked against 
    39. 

  39. the rule. If you assign additional jobs to the group, the new jobs are 
    40. 

  40. automatically checked the next time the conditions are checked.
    41. 

  41. 

  42. You can select the result type of the {anomaly-job} that is checked against the 
    43. 

  43. rule. In particular, you can create rules based on bucket, record, or influencer 
    44. 

  44. results.
    45. 

  45. 

  46. [role="screenshot"]
    47. 

  47. image::images/ml-anomaly-alert-severity.jpg["Selecting result type, severity, and test interval"]
    48. 

  48. 

  49. For each rule, you can configure the `anomaly_score` that triggers the action. 
    50. 

  50. The `anomaly_score` indicates the significance of a given anomaly compared to 
    51. 

  51. previous anomalies. The default severity threshold is 75 which means every 
    52. 

  52. anomaly with an `anomaly_score` of 75 or higher triggers the associated action.
    53. 

  53. 

  54. You can select whether you want to include interim results. Interim results are 
    55. 

  55. created by the {anomaly-job} before a bucket is finalized. These results might 
    56. 

  56. disappear after the bucket is fully processed. Include interim results if you 
    57. 

  57. want to be notified earlier about a potential anomaly even if it might be a 
    58. 

  58. false positive. If you want to get notified only about anomalies of fully 
    59. 

  59. processed buckets, do not include interim results.
    60. 

  60. 

  61. You can also test the configured conditions against your existing data and check 
    62. 

  62. the sample results by providing a valid interval for your data. The generated 
    63. 

  63. preview contains the number of potentially created alerts during the relative 
    64. 

  64. time range you defined.
    65. 

  65. 

  66. 

  67. [[defining-actions]]
    68. 

  68. == Defining actions
    69. 

  69. 

  70. As a next step, connect your rule to actions that use supported built-in 
    71. 

  71. integrations by selecting a connector type. Connectors are {kib} services or 
    72. 

  72. third-party integrations that perform an action when the rule conditions are 
    73. 

  73. met.
    74. 

  74. 

  75. [role="screenshot"]
    76. 

  76. image::images/ml-anomaly-alert-actions.jpg["Selecting connector type"]
    77. 

  77. 

  78. For example, you can choose _Slack_ as a connector type and configure it to send 
    79. 

  79. a message to a channel you selected. You can also create an index connector that 
    80. 

  80. writes the JSON object you configure to a specific index. It's also possible to 
    81. 

  81. customize the notification messages. A list of variables is available to include 
    82. 

  82. in the message, like job ID, anomaly score, time, or top influencers.
    83. 

  83. 

  84. [role="screenshot"]
    85. 

  85. image::images/ml-anomaly-alert-messages.jpg["Customizing your message"]
    86. 

  86. 

  87. After you save the configurations, the rule appears in the *{alerts-ui}* list 
    88. 

  88. where you can check its status and see the overview of its configuration 
    89. 

  89. information.
    90. 

  90. 

  91. The name of an alert is always the same as the job ID of the associated 
    92. 

  92. {anomaly-job} that triggered it. You can mute the notifications for a particular 
    93. 

  93. {anomaly-job} on the page of the rule that lists the individual alerts. You can 
    94. 

  94. open it via *{alerts-ui}* by selecting the rule name.
    95.