Muti-variate Anomaly Detection

Hi all,

My team and I are looking into OpenSearch anomaly detection and have some questions we hoped the community could help with.

We have event data with a structure similar to:

{"timestamp": "2022-09-20T15:00:00.000Z", "eventType": "click", "component": ""}

We had intended on defining eventType and component as OpenSearch anomaly detection features but realized that the values contained for each field are not considered.

Am I right in saying that we would need to define a detector and model for each of the following:

{"timestamp": "...", "eventType": "click", "component": "component.A"}
{"timestamp": "...", "eventType": "search", "component": "component.A"}
{"timestamp": "...", "eventType": "click", "component": "component.B"}
{"timestamp": "...", "eventType": "search", "component": "component.B"}

Are there other approaches that are more scalable that aggregate on distinct values for each feature?

Thanks for the help!