Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.7.0
Hi,
I have created an anomaly detector which looks at Mondays but it doesn’t create any anomalies although there are huge differences between Mondays in my indices. I have 60 days of indices that are being analyzed.
Any ideas why, what do I have to add in my detector config. in order to get this working?
The purpose is to see/find Monday anomalies when there are too few requests coming in.
The detector is based on my custom field: “testing.host.keyword” and a 60m detection interval.
Detector config:
POST _plugins/_anomaly_detection/detectors
{
“name”: “Monday_request_count_anomaly_detector”,
“description”: “Detect anomalies in Monday request counts”,
“time_field”: “@timestamp”,
“indices”: [“test*”],
“feature_attributes”: [
{
“feature_name”: “request_count_Monday”,
“feature_enabled”: true,
“aggregation_query”: {
“testing_host_keyword_count”: {
“value_count”: {
“field”: “testing.host.keyword”
}
}
}
}
],
“filter_query”: {
“bool”: {
“filter”: [
{
“range”: {
“@timestamp”: {
“gte”: “now-30d/d”,
“lte”: “now/d”
}
}
},
{
“script”: {
“script”: {
“source”: “”"
def dayOfWeek = doc[‘@timestamp’].value.dayOfWeek;
return dayOfWeek == 1;
“”"
}
}
}
]
}
},
“analysis_config”: {
“bucket_span”: “1d”,
“detectors”: [
{
“function”: “model_plot”,
“partition_field_name”: “testing.host.keyword”,
“detector_description”: “Detect lower-than-normal request counts on Mondays”
}
]
},
“detection_interval”: {
“period”: {
“interval”: 60,
“unit”: “Minutes”
}
},
“window_delay”: {
“period”: {
“interval”: 1,
“unit”: “Minutes”
}
},
“result_index”: “opensearch-ad-plugin-result-monday-requests”
}
I tried experimenting with the detection interval, but when i set it to 1440 minutes (24 Hours) i get this warning in opensearch log: “model is empty or too large: [0] bytes”
The host has 32 GB Ram and the JVM is set to 16 GB Ram
And if i change the interval to 10 minutes it shows anomalies but not the correct way.
Screenshot with 10 min intervals and for 30 days is below
Would really appreciate som help in solving what the config. should look like