Etusivu Tutki Apua
Kirjaudu sisään
lqb
/
elasticsearch
peilaus alkaen https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Puu: d07c174aaf
Haarat Tagit
elasticsearch
/
docs
/
reference
/
ml
/
anomaly-detection
/
ml-configuring-alerts.asciidoc

ml-configuring-alerts.asciidoc 5.1 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 
  1. [role="xpack"]
    2. 

  2. [[ml-configuring-alerts]]
    3. 

  3. = Generating alerts for {anomaly-jobs}
    4. 

  4. 

  5. beta::[]
    6. 

  6. 

  7. {kib} {alert-features} include support for {ml} rules, which run scheduled 
    8. 

  8. checks on an {anomaly-job} or a group of jobs to detect anomalies with certain 
    9. 

  9. conditions. If an anomaly meets the conditions, an alert is created and the 
    10. 

  10. associated action is triggered. For example, you can create a rule to check an 
    11. 

  11. {anomaly-job} every fifteen minutes for critical anomalies and to notify you in 
    12. 

  12. an email. To learn more about {kib} {alert-features}, refer to 
    13. 

  13. {kibana-ref}/alerting-getting-started.html#alerting-getting-started[Alerting and Actions].
    14. 

  14. 

  15. 

  16. [[creating-anomaly-alert-rules]]
    17. 

  17. == Creating a rule
    18. 

  18. 

  19. You can create {ml} rules in the {anomaly-job} wizard after you start the job, 
    20. 

  20. from the job list, or under **{stack-manage-app} > {alerts-ui}**. On the *Create 
    21. 

  21. rule* window, select *{anomaly-detect-cap} alert* under the {ml} section, then 
    22. 

  22. give a name to the rule and optionally provide tags.
    23. 

  23. 

  24. Specify the time interval for the rule to check detected anomalies. It is 
    25. 

  25. recommended to select an interval that is close to the bucket span of the 
    26. 

  26. associated job. You can also select a notification option by using the _Notify_ 
    27. 

  27. selector. An alert remains active as long as anomalies are found for a 
    28. 

  28. particular {anomaly-job} during the check interval. When there is no anomaly 
    29. 

  29. found in the next interval, the `Recovered` action group is invoked and the 
    30. 

  30. status of the alert changes to `OK`. For more details, refer to the 
    31. 

  31. documentation of 
    32. 

  32. {kibana-ref}/defining-alerts.html#defining-alerts-general-details[general rule details].
    33. 

  33.   
    34. 

  34. [role="screenshot"]
    35. 

  35. image::images/ml-anomaly-alert-type.jpg["Creating a rule for an anomaly detection alert"]
    36. 

  36.   
    37. 

  37. Select the {anomaly-job} or the group of {anomaly-jobs} that is checked against 
    38. 

  38. the rule. If you assign additional jobs to the group, the new jobs are 
    39. 

  39. automatically checked the next time the conditions are checked.
    40. 

  40. 

  41. You can select the result type of the {anomaly-job} that is checked against the 
    42. 

  42. rule. In particular, you can create rules based on bucket, record, or influencer 
    43. 

  43. results.
    44. 

  44. 

  45. [role="screenshot"]
    46. 

  46. image::images/ml-anomaly-alert-severity.jpg["Selecting result type, severity, and test interval"]
    47. 

  47. 

  48. For each rule, you can configure the `anomaly_score` that triggers the action. 
    49. 

  49. The `anomaly_score` indicates the significance of a given anomaly compared to 
    50. 

  50. previous anomalies. The default severity threshold is 75 which means every 
    51. 

  51. anomaly with an `anomaly_score` of 75 or higher triggers the associated action.
    52. 

  52. 

  53. You can select whether you want to include interim results. Interim results are 
    54. 

  54. created by the {anomaly-job} before a bucket is finalized. These results might 
    55. 

  55. disappear after the bucket is fully processed. Include interim results if you 
    56. 

  56. want to be notified earlier about a potential anomaly even if it might be a 
    57. 

  57. false positive. If you want to get notified only about anomalies of fully 
    58. 

  58. processed buckets, do not include interim results.
    59. 

  59. 

  60. You can also configure advanced settings. _Lookback interval_ sets an interval 
    61. 

  61. that is used to query previous anomalies during each condition check. Its value 
    62. 

  62. is derived from the bucket span of the job and the query delay of the {dfeed} by 
    63. 

  63. default. It is not recommended to set the lookback interval lower than the 
    64. 

  64. default value as it might result in missed anomalies. _Number of latest buckets_ 
    65. 

  65. sets how many buckets to check to obtain the highest anomaly from all the 
    66. 

  66. anomalies that are found during the _Lookback interval_. An alert is created 
    67. 

  67. based on the anomaly with the highest anomaly score from the most anomalous 
    68. 

  68. bucket.
    69. 

  69. 

  70. You can also test the configured conditions against your existing data and check 
    71. 

  71. the sample results by providing a valid interval for your data. The generated 
    72. 

  72. preview contains the number of potentially created alerts during the relative 
    73. 

  73. time range you defined.
    74. 

  74. 

  75. 

  76. [[defining-actions]]
    77. 

  77. == Defining actions
    78. 

  78. 

  79. As a next step, connect your rule to actions that use supported built-in 
    80. 

  80. integrations by selecting a connector type. Connectors are {kib} services or 
    81. 

  81. third-party integrations that perform an action when the rule conditions are 
    82. 

  82. met.
    83. 

  83. 

  84. [role="screenshot"]
    85. 

  85. image::images/ml-anomaly-alert-actions.jpg["Selecting connector type"]
    86. 

  86. 

  87. For example, you can choose _Slack_ as a connector type and configure it to send 
    88. 

  88. a message to a channel you selected. You can also create an index connector that 
    89. 

  89. writes the JSON object you configure to a specific index. It's also possible to 
    90. 

  90. customize the notification messages. A list of variables is available to include 
    91. 

  91. in the message, like job ID, anomaly score, time, or top influencers.
    92. 

  92. 

  93. [role="screenshot"]
    94. 

  94. image::images/ml-anomaly-alert-messages.jpg["Customizing your message"]
    95. 

  95. 

  96. After you save the configurations, the rule appears in the *{alerts-ui}* list 
    97. 

  97. where you can check its status and see the overview of its configuration 
    98. 

  98. information.
    99. 

  99. 

  100. The name of an alert is always the same as the job ID of the associated 
    101. 

  101. {anomaly-job} that triggered it. You can mute the notifications for a particular 
    102. 

  102. {anomaly-job} on the page of the rule that lists the individual alerts. You can 
    103. 

  103. open it via *{alerts-ui}* by selecting the rule name.
    104.