Opensearch Anomaly Detection behavior

Hi,

I configured a pipeline in Logstash that extracts the orders of an online shop from database and sends them to OpenSearch. The pipeline is connected to the production database so there are continuous new order records.
On Friday I set up an anomaly detection detector on Opensearch that counts the number of orders with a 15 minute of detector interval.
Today, to do a test, I stopped the Logstash pipeline. So for an hour I left the situation like this and therefore Opensearch had no longer received new orders for an hour.
I was expecting an anomaly incident and instead nothing happened.

Why?

Hi. I am also evaluating OS Anomaly Detection, and I’m certainly not an expert. But I’ve run the same test you describe, and got the same result.

The reason you get no anomaly is because the detector is getting NO DATA. Null, in other words–not zero.

I am also struggling with this behavior. I’ve posted a similar question here, with no responses yet:

Good luck to both of us!

Yes your case is the same of mine. I tested also in Elasticsearch but also there doesn’t work.
Momently, i do a workaround, in order to have the expected behavior, and i set a custom alert on the index that send notification when elastic doesn’t receive data for 30 minutes. This alert is active every day only from 9:00 am to 11 pm .

For Elasticsearch, you can use another set of tools (forget what it’s called) that will detect when NO data is coming in. I think OS has the same. But that’s still not really what we’re looking for.

Yes exactly, unfortunately that’s not what we’re looking for.

If it helps, I have found it will pick up anomalies with other data that does not contain big gaps. Not sure yet how accurate it is.