Get anomaly detection job results for buckets Generally available; Added in 5.4.0

POST /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}
Api key auth Basic auth Bearer auth

All methods and paths for this operation:

GET /_ml/anomaly_detectors/{job_id}/results/buckets

POST /_ml/anomaly_detectors/{job_id}/results/buckets
GET /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}
POST /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}

The API presents a chronological view of the records, grouped by bucket.

Required authorization

  • Cluster privileges: monitor_ml

Path parameters

  • job_id string Required

    Identifier for the anomaly detection job.

  • timestamp string | number Required

    The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.

Query parameters

  • anomaly_score number

    Returns buckets with anomaly scores greater or equal than this value.

  • desc boolean

    If true, the buckets are sorted in descending order.

  • end string | number

    Returns buckets with timestamps earlier than this time. -1 means it is unset and results are not limited to specific timestamps.

  • exclude_interim boolean

    If true, the output excludes interim results.

  • expand boolean

    If true, the output includes anomaly records.

  • from number

    Skips the specified number of buckets.

  • size number

    Specifies the maximum number of buckets to obtain.

  • sort string

    Specifies the sort field for the requested buckets.

  • start string | number

    Returns buckets with timestamps after this time. -1 means it is unset and results are not limited to specific timestamps.

application/json

Body

  • anomaly_score number

    Refer to the description for the anomaly_score query parameter.

    Default value is 0.

  • desc boolean

    Refer to the description for the desc query parameter.

    Default value is false.

  • end string | number

    Refer to the description for the end query parameter.

    One of:
    string-1 string UnitMillis number

    Refer to the description for the end query parameter.

    Refer to the description for the end query parameter.

  • exclude_interim boolean

    Refer to the description for the exclude_interim query parameter.

    Default value is false.

  • expand boolean

    Refer to the description for the expand query parameter.

    Default value is false.

  • page object
    Hide page attributes Show page attributes object
    • from number

      Skips the specified number of items.

      Default value is 0.

    • size number

      Specifies the maximum number of items to obtain.

      Default value is 10000.

  • sort string

    Refer to the desription for the sort query parameter.

  • start string | number

    Refer to the description for the start query parameter.

    One of:
    string-1 string UnitMillis number

    Refer to the description for the start query parameter.

    Refer to the description for the start query parameter.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • buckets array[object] Required
      Hide buckets attributes Show buckets attributes object
      • anomaly_score number Required

        The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.

      • bucket_influencers array[object] Required
        Hide bucket_influencers attributes Show bucket_influencers attributes object
        • anomaly_score number Required

          A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.

        • bucket_span
        • influencer_field_name string Required

          The field name of the influencer.

        • initial_anomaly_score number Required

          The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.

        • is_interim boolean Required

          If true, this is an interim result. In other words, the results are calculated based on partial input data.

        • job_id string Required

          Identifier for the anomaly detection job.

        • probability number Required

          The probability that the bucket has this behavior, in the range 0 to 1. This value can be held to a high precision of over 300 decimal places, so the anomaly_score is provided as a human-readable and friendly interpretation of this.

        • raw_anomaly_score number Required

          Internal.

        • result_type string Required

          Internal. This value is always set to bucket_influencer.

        • timestamp
        • timestamp_string
      • bucket_span number

        Time unit for seconds

      • event_count number Required

        The number of input data records processed in this bucket.

      • initial_anomaly_score number Required

        The maximum anomaly score for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed.

      • is_interim boolean Required

        If true, this is an interim result. In other words, the results are calculated based on partial input data.

      • job_id string Required

        Identifier for the anomaly detection job.

      • processing_time_ms number

        Time unit for milliseconds

      • result_type string Required

        Internal. This value is always set to bucket.

      • timestamp number

        Time unit for milliseconds

      • timestamp_string string | number

        The start time of the bucket. This timestamp uniquely identifies the bucket. Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.

        One of:
        string-1 string UnitMillis number

        The start time of the bucket. This timestamp uniquely identifies the bucket. Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.

        The start time of the bucket. This timestamp uniquely identifies the bucket. Events that occur exactly at the timestamp of the bucket are included in the results for the bucket.

    • count number Required
POST /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp} 
GET _ml/anomaly_detectors/low_request_rate/results/buckets
{
  "anomaly_score": 80,
  "start": "1454530200001"
}
resp = client.ml.get_buckets(
    job_id="low_request_rate",
    anomaly_score=80,
    start="1454530200001",
)
const response = await client.ml.getBuckets({
  job_id: "low_request_rate",
  anomaly_score: 80,
  start: 1454530200001,
});
response = client.ml.get_buckets(
  job_id: "low_request_rate",
  body: {
    "anomaly_score": 80,
    "start": "1454530200001"
  }
)
$resp = $client->ml()->getBuckets([
    "job_id" => "low_request_rate",
    "body" => [
        "anomaly_score" => 80,
        "start" => "1454530200001",
    ],
]);
curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"anomaly_score":80,"start":"1454530200001"}' "$ELASTICSEARCH_URL/_ml/anomaly_detectors/low_request_rate/results/buckets"
client.ml().getBuckets(g -> g
    .anomalyScore(80.0D)
    .jobId("low_request_rate")
    .start(DateTime.of("1454530200001"))
);
Request example
An example body for a `GET _ml/anomaly_detectors/low_request_rate/results/buckets` request. 
{
  "anomaly_score": 80,
  "start": "1454530200001"
}