Opensearch Anomaly Detector Custom Expressions

automator · March 18, 2024, 10:29am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v2.11.1

Describe the issue:
I would like to write a Custom expression in the “Anomaly Detection” section of Opensearch Dashboards, but I can’t seem to get m Detector right.

At the moment, I have:

{
    "http-reponse-code": {
        "value_count": {
            "field": "response"
        }
    }
}

It will count all the messages in the index, that have a http-response-code.

Now, I would like to limit those to only count responses, that are in a certain range (“400” to “499”). I can’t seem to get that right.

Thought about something like this:

{
  "query": { 
    "value_count": { 
      "filter": [ 
        { "term":  { "field": "response"}},
        { "range": { "response": { "gte": 400, "lte": 499 }}}
      ]
    }
  }
}

When I click “Preview”, Opensearch Dashboards tells me:

 query error: [1:1209] [value_count] unknown field [filter]

What am I getting wrong?

Is there any documentation for the expressions, I can use in Anomaly Detection?

Any advice highly appreciated!

Configuration:

Relevant Logs or Screenshots:

pablo · March 21, 2024, 12:56am

@automator As far as I know, value_count expects a field.
i.e.

{
    "query": {
        "value_count": {
            "field": "<filed_name>"
        }
    }
}

automator · March 21, 2024, 10:21am

Thanks for commenting! I am aware that it accepts a field by default. I was hoping that there is some possibility to do some filtering inside the expression, but it seems like it is not possible, which really is annoying…

pablo · March 21, 2024, 1:11pm

@automator I’ve tested with just a filter in that custom expression but it complained about an incorrect input field.

automator · March 22, 2024, 12:15pm

Hi Pablo, thanks alot for your time! I guess, it is impossible to achieve this in Opensearch Dashboards Anomaly Detection. It seems to only accept a single field for each feature and no “true complex” queries/filters. At least with the current version of Opensearch Dashboards.

kaituo · March 28, 2024, 11:34pm

Can you try sth like

{
    "filtered_output": {
        "filter": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "response": {
                                "gte": 400,
                                "lte": 499
                            }
                        }
                    }
                ],
                "adjust_pure_negative": true,
                "boost": 1
            }
        },
        "aggregations": {
            "http-response-code": {
                "value_count": {
                    "field": "response"
                }
            }
        }
    }
}

?

automator · April 2, 2024, 7:25am

Wow! Thank you so much, kaituo! This actually seems to work for me!

kaituo · April 3, 2024, 6:47pm

nice

Topic		Replies	Views
Anomaly detection using filter in custom expression Machine Learning	1	717	August 25, 2021
Creating Detectors Reporting Plugin	0	301	December 7, 2022
Anomaly Detection DSL errors Machine Learning	1	1050	December 21, 2021
Anomaly detector custom query Machine Learning	1	743	November 29, 2021
Derivative Features for Anomaly Detection Plugins Machine Learning	2	365	August 11, 2023

Opensearch Anomaly Detector Custom Expressions

Related topics