Update an anomaly detection job | Elasticsearch API documentation

Update an anomaly detection job Generally available; Added in 5.5.0

POST /_ml/anomaly_detectors/{job_id}/_update

Api key auth Basic auth Bearer auth

Updates certain properties of an anomaly detection job.

Required authorization

Cluster privileges: manage_ml

Path parameters

job_id string Required

Identifier for the job.

application/json

Body Required

allow_lazy_open boolean

Advanced configuration option. Specifies whether this job can open when there is insufficient machine learning node capacity for it to be immediately assigned to a node. If false and a machine learning node with capacity to run the job cannot immediately be found, the open anomaly detection jobs API returns an error. However, this is also subject to the cluster-wide xpack.ml.max_lazy_ml_nodes setting. If this option is set to true, the open anomaly detection jobs API does not return an error and the job waits in the opening state until sufficient machine learning node capacity is available.

Default value is false.
analysis_limits object
Hide analysis_limits attribute Show analysis_limits attribute object
- model_memory_limit string Required
  
  Limits can be applied for the resources required to hold the mathematical models in memory. These limits are approximate and can be set per job. They do not control the memory used by other processes, for example the Elasticsearch Java processes.
background_persist_interval string

Advanced configuration option. The time between each periodic persistence of the model. The default value is a randomized value between 3 to 4 hours, which avoids all jobs persisting at exactly the same time. The smallest allowed value is 1 hour. For very large models (several GB), persistence could take 10-20 minutes, so do not set the value too low. If the job is open when you make the update, you must stop the datafeed, close the job, then reopen the job and restart the datafeed for the changes to take effect.
custom_settings object

Advanced configuration option. Contains custom meta data about the job. For example, it can contain custom URL information as shown in Adding custom URLs to machine learning results.
Hide custom_settings attribute Show custom_settings attribute object
- * object Additional properties
categorization_filters array[string]
description string

A description of the job.
model_plot_config object
Hide model_plot_config attributes Show model_plot_config attributes object
- annotations_enabled boolean Generally available; Added in 7.9.0
  
  If true, enables calculation and storage of the model change annotations for each entity that is being analyzed.
  
  Default value is true.
- enabled boolean
  
  If true, enables calculation and storage of the model bounds for each entity that is being analyzed.
  
  Default value is false.
- terms string
  
  Limits data collection to this comma separated list of partition or by field values. If terms are not specified or it is an empty string, no filtering is applied. Wildcards are not supported. Only the specified terms can be viewed when using the Single Metric Viewer.
model_prune_window string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
daily_model_snapshot_retention_after_days number

Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies a period of time (in days) after which only the first snapshot per day is retained. This period is relative to the timestamp of the most recent snapshot for this job. Valid values range from 0 to model_snapshot_retention_days. For jobs created before version 7.8.0, the default value matches model_snapshot_retention_days.

Default value is 1.
model_snapshot_retention_days number

Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies the maximum period of time (in days) that snapshots are retained. This period is relative to the timestamp of the most recent snapshot for this job.

Default value is 10.
renormalization_window_days number

Advanced configuration option. The period over which adjustments to the score are applied, as new data is seen.
results_retention_days number

Advanced configuration option. The period of time (in days) that results are retained. Age is calculated relative to the timestamp of the latest bucket result. If this property has a non-null value, once per day at 00:30 (server time), results that are the specified number of days older than the latest bucket result are deleted from Elasticsearch. The default value is null, which means all results are retained.
groups array[string]

A list of job groups. A job can belong to no groups or many.
detectors array[object]

An array of detector update objects.
Hide detectors attributes Show detectors attributes object
- detector_index number Required
  
  A unique identifier for the detector. This identifier is based on the order of the detectors in the analysis_config, starting at zero.
- description string
  
  A description of the detector.
- custom_rules array[object]
  
  An array of custom rule objects, which enable you to customize the way detectors operate. For example, a rule may dictate to the detector conditions under which results should be skipped. Kibana refers to custom rules as job rules.
  Hide custom_rules attributes Show custom_rules attributes object
  
  actions array[string]
  
  The set of actions to be triggered when the rule applies. If more than one action is specified the effects of all actions are combined.
  
  Supported values include:
  
  skip_result: The result will not be created. Unless you also specify skip_model_update, the model will be updated as usual with the corresponding series value.
  
  skip_model_update: The value for that series will not be used to update the model. Unless you also specify skip_result, the results will be created as usual. This action is suitable when certain values are expected to be consistently anomalous and they affect the model in a way that negatively impacts the rest of the results.
  
  Values are skip_result or skip_model_update. Default value is ["skip_result"].
  
  conditions array[object]
  
  An array of numeric conditions when the rule applies. A rule must either have a non-empty scope or at least one condition. Multiple conditions are combined together with a logical AND.
  
  Hide conditions attributes Show conditions attributes object
  
  applies_to
  
  operator
  
  value number Required
  
  The value that is compared against the applies_to field using the operator.
  
  scope object
  
  A scope of series where the rule applies. A rule must either have a non-empty scope or at least one condition. By default, the scope includes all series. Scoping is allowed for any of the fields that are also specified in by_field_name, over_field_name, or partition_field_name.
  
  Hide scope attribute Show scope attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter_id
  
  filter_type
per_partition_categorization object

Settings related to how categorization interacts with partition fields.
Hide per_partition_categorization attributes Show per_partition_categorization attributes object
- enabled boolean
  
  To enable this setting, you must also set the partition_field_name property to the same value in every detector that uses the keyword mlcategory. Otherwise, job creation fails.
- stop_on_warn boolean
  
  This setting can be set to true only if per-partition categorization is enabled. If true, both categorization and subsequent anomaly detection stops for partitions where the categorization status changes to warn. This setting makes it viable to have a job where it is expected that categorization works well for some partitions but not others; you do not pay the cost of bad categorization forever in the partitions where it works badly.

Responses

200 application/json
Hide response attributes Show response attributes object
- allow_lazy_open boolean Required
- analysis_config object Required
  
  Hide analysis_config attributes Show analysis_config attributes object
  
  bucket_span string Required
  
  The size of the interval that the analysis is aggregated into, typically between 5m and 1h.
  
  categorization_analyzer string | object
  
  If categorization_field_name is specified, you can also define the analyzer that is used to interpret the categorization field. This property cannot be used at the same time as categorization_filters. The categorization analyzer specifies how the categorization_field is interpreted by the categorization process.
  
  One of:
  string-1 string CategorizationAnalyzerDefinition object
  
  If categorization_field_name is specified, you can also define the analyzer that is used to interpret the categorization field. This property cannot be used at the same time as categorization_filters. The categorization analyzer specifies how the categorization_field is interpreted by the categorization process.
  
  If categorization_field_name is specified, you can also define the analyzer that is used to interpret the categorization field. This property cannot be used at the same time as categorization_filters. The categorization analyzer specifies how the categorization_field is interpreted by the categorization process.
  
  Hide attributes Show attributes
  
  char_filter array
  
  One or more character filters. In addition to the built-in character filters, other plugins can provide more character filters. If this property is not specified, no character filters are applied prior to categorization. If you are customizing some other aspect of the analyzer and you need to achieve the equivalent of categorization_filters (which are not permitted when some other aspect of the analyzer is customized), add them here as pattern replace character filters.
  
  filter array
  
  One or more token filters. In addition to the built-in token filters, other plugins can provide more token filters. If this property is not specified, no token filters are applied prior to categorization.
  
  tokenizer
  
  categorization_field_name string
  
  If this property is specified, the values of the specified field will be categorized. The resulting categories must be used in a detector by setting by_field_name, over_field_name, or partition_field_name to the keyword mlcategory.
  
  categorization_filters array[string]
  
  If categorization_field_name is specified, you can also define optional filters. This property expects an array of regular expressions. The expressions are used to filter out matching sequences from the categorization field values.
  
  detectors array[object] Required
  
  An array of detector configuration objects. Detector configuration objects specify which data fields a job analyzes. They also specify which analytical functions are used. You can specify multiple detectors for a job.
  
  Hide detectors attributes Show detectors attributes object
  
  by_field_name string
  
  The field used to split the data. In particular, this property is used for analyzing the splits with respect to their own history. It is used for finding unusual values in the context of the split.
  
  custom_rules array[object]
  
  An array of custom rule objects, which enable you to customize the way detectors operate. For example, a rule may dictate to the detector conditions under which results should be skipped. Kibana refers to custom rules as job rules.
  
  detector_description string
  
  A description of the detector.
  
  detector_index number
  
  A unique identifier for the detector. This identifier is based on the order of the detectors in the analysis_config, starting at zero.
  
  exclude_frequent string
  
  Contains one of the following values: all, none, by, or over. If set, frequent entities are excluded from influencing the anomaly results. Entities can be considered frequent over time or frequent in a population. If you are working with both over and by fields, then you can set exclude_frequent to all for both fields, or to by or over for those specific fields.
  
  Values are all, none, by, or over.
  
  field_name string
  
  The field that the detector uses in the function. If you use an event rate function such as count or rare, do not specify this field.
  
  function string Required
  
  The analysis function that is used. For example, count, rare, mean, min, max, and sum.
  
  over_field_name string
  
  The field used to split the data. In particular, this property is used for analyzing the splits with respect to the history of all splits. It is used for finding unusual values in the population of all splits.
  
  partition_field_name string
  
  The field used to segment the analysis. When you use this property, you have completely independent baselines for each value of this field.
  
  use_null boolean
  
  Defines whether a new series is used as the null series when there is no value for the by or partition fields.
  
  Default value is false.
  
  influencers array[string] Required
  
  A comma separated list of influencer field names. Typically these can be the by, over, or partition fields that are used in the detector configuration. You might also want to use a field name that is not specifically named in a detector, but is available as part of the input data. When you use multiple detectors, the use of influencers is recommended as it aggregates results for each influencer entity.
  
  model_prune_window string
  
  Advanced configuration option. Affects the pruning of models that have not been updated for the given time duration. The value must be set to a multiple of the bucket_span. If set too low, important information may be removed from the model. Typically, set to 30d or longer. If not set, model pruning only occurs if the model memory status reaches the soft limit or the hard limit. For jobs created in 8.1 and later, the default value is the greater of 30d or 20 times bucket_span.
  
  latency string
  
  The size of the window in which to expect data that is out of time order. Defaults to no latency. If you specify a non-zero value, it must be greater than or equal to one second.
  
  multivariate_by_fields boolean
  
  This functionality is reserved for internal use. It is not supported for use in customer environments and is not subject to the support SLA of official GA features. If set to true, the analysis will automatically find correlations between metrics for a given by field value and report anomalies when those correlations cease to hold.
  
  per_partition_categorization object
  
  Settings related to how categorization interacts with partition fields.
  
  Hide per_partition_categorization attributes Show per_partition_categorization attributes object
  
  enabled boolean
  
  To enable this setting, you must also set the partition_field_name property to the same value in every detector that uses the keyword mlcategory. Otherwise, job creation fails.
  
  stop_on_warn boolean
  
  This setting can be set to true only if per-partition categorization is enabled. If true, both categorization and subsequent anomaly detection stops for partitions where the categorization status changes to warn. This setting makes it viable to have a job where it is expected that categorization works well for some partitions but not others; you do not pay the cost of bad categorization forever in the partitions where it works badly.
  
  summary_count_field_name string
  
  If this property is specified, the data that is fed to the job is expected to be pre-summarized. This property value is the name of the field that contains the count of raw data points that have been summarized. The same summary_count_field_name applies to all detectors in the job.
- analysis_limits object Required
  
  Hide analysis_limits attributes Show analysis_limits attributes object
  
  categorization_examples_limit number
  
  The maximum number of examples stored per category in memory and in the results data store. If you increase this value, more examples are available, however it requires that you have more storage available. If you set this value to 0, no examples are stored. NOTE: The categorization_examples_limit applies only to analysis that uses categorization.
  
  Default value is 4.
  
  model_memory_limit number | string
  
  The approximate maximum amount of memory resources that are required for analytical processing. Once this limit is approached, data pruning becomes more aggressive. Upon exceeding this limit, new entities are not modeled. If the xpack.ml.max_model_memory_limit setting has a value greater than 0 and less than 1024mb, that value is used instead of the default. The default value is relatively small to ensure that high resource usage is a conscious decision. If you have jobs that are expected to analyze high cardinality fields, you will likely need to use a higher value. If you specify a number instead of a string, the units are assumed to be MiB. Specifying a string is recommended for clarity. If you specify a byte size unit of b or kb and the number does not equate to a discrete number of megabytes, it is rounded down to the closest MiB. The minimum valid value is 1 MiB. If you specify a value less than 1 MiB, an error occurs. If you specify a value for the xpack.ml.max_model_memory_limit setting, an error occurs when you try to create jobs that have model_memory_limit values greater than that setting value.
  
  One of:
  number-1 number string-2 string
  
  The approximate maximum amount of memory resources that are required for analytical processing. Once this limit is approached, data pruning becomes more aggressive. Upon exceeding this limit, new entities are not modeled. If the xpack.ml.max_model_memory_limit setting has a value greater than 0 and less than 1024mb, that value is used instead of the default. The default value is relatively small to ensure that high resource usage is a conscious decision. If you have jobs that are expected to analyze high cardinality fields, you will likely need to use a higher value. If you specify a number instead of a string, the units are assumed to be MiB. Specifying a string is recommended for clarity. If you specify a byte size unit of b or kb and the number does not equate to a discrete number of megabytes, it is rounded down to the closest MiB. The minimum valid value is 1 MiB. If you specify a value less than 1 MiB, an error occurs. If you specify a value for the xpack.ml.max_model_memory_limit setting, an error occurs when you try to create jobs that have model_memory_limit values greater than that setting value.
  
  The approximate maximum amount of memory resources that are required for analytical processing. Once this limit is approached, data pruning becomes more aggressive. Upon exceeding this limit, new entities are not modeled. If the xpack.ml.max_model_memory_limit setting has a value greater than 0 and less than 1024mb, that value is used instead of the default. The default value is relatively small to ensure that high resource usage is a conscious decision. If you have jobs that are expected to analyze high cardinality fields, you will likely need to use a higher value. If you specify a number instead of a string, the units are assumed to be MiB. Specifying a string is recommended for clarity. If you specify a byte size unit of b or kb and the number does not equate to a discrete number of megabytes, it is rounded down to the closest MiB. The minimum valid value is 1 MiB. If you specify a value less than 1 MiB, an error occurs. If you specify a value for the xpack.ml.max_model_memory_limit setting, an error occurs when you try to create jobs that have model_memory_limit values greater than that setting value.
- background_persist_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- create_time number
  
  Time unit for milliseconds
- finished_time number
  
  Time unit for milliseconds
- custom_settings object
  
  Hide custom_settings attribute Show custom_settings attribute object
  
  * string Additional properties
- daily_model_snapshot_retention_after_days number Required
- data_description object Required
  
  Hide data_description attributes Show data_description attributes object
  
  format string
  
  Only JSON format is supported at this time.
  
  time_field string
  
  The name of the field that contains the timestamp.
  
  time_format string
  
  The time format, which can be epoch, epoch_ms, or a custom pattern. The value epoch refers to UNIX or Epoch time (the number of seconds since 1 Jan 1970). The value epoch_ms indicates that time is measured in milliseconds since the epoch. The epoch and epoch_ms time formats accept either integer or real values. Custom patterns must conform to the Java DateTimeFormatter class. When you use date-time formatting patterns, it is recommended that you provide the full date, time and time zone. For example: yyyy-MM-dd'T'HH:mm:ssX. If the pattern that you specify is not sufficient to produce a complete timestamp, job creation fails.
  
  Default value is epoch.
  
  field_delimiter string
- datafeed_config object
  
  Hide datafeed_config attributes Show datafeed_config attributes object
  
  aggregations object
  
  authorization object
  
  The security privileges that the datafeed uses to run its queries. If Elastic Stack security features were disabled at the time of the most recent update to the datafeed, this property is omitted.
  
  Hide authorization attributes Show authorization attributes object
  
  api_key object
  
  If an API key was used for the most recent update to the datafeed, its name and identifier are listed in the response.
  
  roles array[string]
  
  If a user ID was used for the most recent update to the datafeed, its roles at the time of the update are listed in the response.
  
  service_account string
  
  If a service account was used for the most recent update to the datafeed, the account name is listed in the response.
  
  chunking_config object
  
  Hide chunking_config attributes Show chunking_config attributes object
  
  mode string Required
  
  If the mode is auto, the chunk size is dynamically calculated; this is the recommended value when the datafeed does not use aggregations. If the mode is manual, chunking is applied according to the specified time_span; use this mode when the datafeed uses aggregations. If the mode is off, no chunking is applied.
  
  Values are auto, manual, or off.
  
  time_span string
  
  The time span that each search will be querying. This setting is applicable only when the mode is set to manual.
  
  datafeed_id string Required
  
  frequency string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  indices array[string] Required
  
  indexes array[string]
  
  job_id string Required
  
  max_empty_searches number
  
  query_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  script_fields object
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  ignore_failure boolean
  
  scroll_size number
  
  delayed_data_check_config object Required
  
  Hide delayed_data_check_config attributes Show delayed_data_check_config attributes object
  
  check_window string
  
  The window of time that is searched for late data. This window of time ends with the latest finalized bucket. It defaults to null, which causes an appropriate check_window to be calculated when the real-time datafeed runs. In particular, the default check_window span calculation is based on the maximum of 2h or 8 * bucket_span.
  
  enabled boolean Required
  
  Specifies whether the datafeed periodically checks for delayed data.
  
  runtime_mappings object
  
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  indices_options object
  
  Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden.
  
  Supported values include:
  
  all: Match any data stream or index, including hidden ones.
  
  open: Match open, non-hidden indices. Also matches any non-hidden data stream.
  
  closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
  
  hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
  
  none: Wildcard expressions are not accepted.
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  Default value is false.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  Default value is true.
  
  query object Required
  
  The Elasticsearch query domain-specific language (DSL). This value corresponds to the query object in an Elasticsearch search POST body. All the options that are supported by Elasticsearch can be used, as this object is passed verbatim to Elasticsearch. By default, this property has the following value: {"match_all": {"boost": 1}}.
  
  Query DSL
- description string
- groups array[string]
- job_id string Required
- job_type string Required
- job_version string Required
- model_plot_config object
  
  Hide model_plot_config attributes Show model_plot_config attributes object
  
  annotations_enabled boolean Generally available; Added in 7.9.0
  
  If true, enables calculation and storage of the model change annotations for each entity that is being analyzed.
  
  Default value is true.
  
  enabled boolean
  
  If true, enables calculation and storage of the model bounds for each entity that is being analyzed.
  
  Default value is false.
  
  terms string
  
  Limits data collection to this comma separated list of partition or by field values. If terms are not specified or it is an empty string, no filtering is applied. Wildcards are not supported. Only the specified terms can be viewed when using the Single Metric Viewer.
- model_snapshot_id string
- model_snapshot_retention_days number Required
- renormalization_window_days number
- results_index_name string Required
- results_retention_days number

POST /_ml/anomaly_detectors/{job_id}/_update

POST _ml/anomaly_detectors/low_request_rate/_update
{
  "description":"An updated job",
  "detectors": {
    "detector_index": 0,
    "description": "An updated detector description"
  },
  "groups": ["kibana_sample_data","kibana_sample_web_logs"],
  "model_plot_config": {
    "enabled": true
  },
  "renormalization_window_days": 30,
  "background_persist_interval": "2h",
  "model_snapshot_retention_days": 7,
  "results_retention_days": 60
}

resp = client.ml.update_job(
    job_id="low_request_rate",
    description="An updated job",
    detectors={
        "detector_index": 0,
        "description": "An updated detector description"
    },
    groups=[
        "kibana_sample_data",
        "kibana_sample_web_logs"
    ],
    model_plot_config={
        "enabled": True
    },
    renormalization_window_days=30,
    background_persist_interval="2h",
    model_snapshot_retention_days=7,
    results_retention_days=60,
)

const response = await client.ml.updateJob({
  job_id: "low_request_rate",
  description: "An updated job",
  detectors: {
    detector_index: 0,
    description: "An updated detector description",
  },
  groups: ["kibana_sample_data", "kibana_sample_web_logs"],
  model_plot_config: {
    enabled: true,
  },
  renormalization_window_days: 30,
  background_persist_interval: "2h",
  model_snapshot_retention_days: 7,
  results_retention_days: 60,
});

response = client.ml.update_job(
  job_id: "low_request_rate",
  body: {
    "description": "An updated job",
    "detectors": {
      "detector_index": 0,
      "description": "An updated detector description"
    },
    "groups": [
      "kibana_sample_data",
      "kibana_sample_web_logs"
    ],
    "model_plot_config": {
      "enabled": true
    },
    "renormalization_window_days": 30,
    "background_persist_interval": "2h",
    "model_snapshot_retention_days": 7,
    "results_retention_days": 60
  }
)

$resp = $client->ml()->updateJob([
    "job_id" => "low_request_rate",
    "body" => [
        "description" => "An updated job",
        "detectors" => [
            "detector_index" => 0,
            "description" => "An updated detector description",
        ],
        "groups" => array(
            "kibana_sample_data",
            "kibana_sample_web_logs",
        ),
        "model_plot_config" => [
            "enabled" => true,
        ],
        "renormalization_window_days" => 30,
        "background_persist_interval" => "2h",
        "model_snapshot_retention_days" => 7,
        "results_retention_days" => 60,
    ],
]);

curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"description":"An updated job","detectors":{"detector_index":0,"description":"An updated detector description"},"groups":["kibana_sample_data","kibana_sample_web_logs"],"model_plot_config":{"enabled":true},"renormalization_window_days":30,"background_persist_interval":"2h","model_snapshot_retention_days":7,"results_retention_days":60}' "$ELASTICSEARCH_URL/_ml/anomaly_detectors/low_request_rate/_update"

client.ml().updateJob(u -> u
    .backgroundPersistInterval(b -> b
        .time("2h")
    )
    .description("An updated job")
    .detectors(d -> d
        .detectorIndex(0)
        .description("An updated detector description")
    )
    .groups(List.of("kibana_sample_data","kibana_sample_web_logs"))
    .jobId("low_request_rate")
    .modelPlotConfig(m -> m
        .enabled(true)
    )
    .modelSnapshotRetentionDays(7L)
    .renormalizationWindowDays(30L)
    .resultsRetentionDays(60L)
);

Request example

An example body for a `POST _ml/anomaly_detectors/low_request_rate/_update` request.

{
  "description":"An updated job",
  "detectors": {
    "detector_index": 0,
    "description": "An updated detector description"
  },
  "groups": ["kibana_sample_data","kibana_sample_web_logs"],
  "model_plot_config": {
    "enabled": true
  },
  "renormalization_window_days": 30,
  "background_persist_interval": "2h",
  "model_snapshot_retention_days": 7,
  "results_retention_days": 60
}

Update an anomaly detection job Generally available; Added in 5.5.0

Required authorization

Path parameters

Body Required

Responses

categorization_analyzer string | object

model_memory_limit number | string