Detect Anomalies on aggregation feature X based on aggregation feature Y

zvirani · July 3, 2025, 6:23pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 3.0.0

Describe the issue:
Context:
Suppose that I have documents with a certain field called ‘category’. This field can take on values ‘a’, ‘b’ and ‘c’ (each document can only take on one of these values).

Question:
Is there a way that I can get the document value_count where ‘category’ has value ‘a’, get a separate value_count where ‘category’ has value ‘b’, and then detect anomalies based on both the value_counts?

Example:
In one interval, when there are 100 documents with ‘category’ value of ‘a’, there are usually 80 documents with ‘category’ value of ‘b’. Can I detect anomalies if instead of 80 documents, there are only 20 documents with ‘category’ value of ‘b’? (assuming that there are still 100 documents with ‘category’ value of ‘b’)

pablo · July 8, 2025, 10:32pm

@zvirani, I think you’re looking for a correlation function in Anomaly detection. According to the documentation, there is no such function available.

Topic		Replies	Views
Anomaly detection with term aggregations Machine Learning	2	1354	June 4, 2020
Anomaly Detection and Pattern Analysis with Categorical Data in OpenSearch General Feedback	3	72	October 18, 2024
Muti-variate Anomaly Detection Machine Learning anomaly-detection	4	525	January 30, 2023
Count terms in features of anomaly detectors Machine Learning	7	1443	December 13, 2022
Opensearch Anomaly Detector Custom Expressions OpenSearch Dashboards anomaly-detection	7	535	April 3, 2024

Detect Anomalies on aggregation feature X based on aggregation feature Y

Related topics