Using Anomaly Detection to detect sudden increases or decreases in the amount of logs received for an index

victor · February 15, 2022, 8:36am

Hi,

We have a need to detect sudden changes to the amount of logs received for certain indices. One idea we had was using the OpenSearch Anomaly Detection plugin to perhaps do a count() on the @timestamp field.

We tested this and got some results back from the historical analysis, but the detections were a little to picky for us. The anomalies were created when we got an increase around about 2-5%, instead we would like to get an alert when it differs around 10% or more.

Is this possible? Thanks

searchymcsearchface · February 15, 2022, 2:42pm

Humm. How much does your data typically vary on the count()?

Also, what is your interval - is that set too tight?

kaituo · February 16, 2022, 7:13pm

trying different intervals might help. Also, you can use alerting since you know the threshold to trigger.

Topic		Replies	Views
Opensearch Anomaly Detection behavior OpenSearch anomaly-detection	5	485	November 6, 2023
Anomaly detection Url based detection OpenSearch	7	327	February 1, 2023
Alert if index not being created or updated OpenSearch	1	258	March 3, 2023
DSL query for indices not receiving any docs Alerting	6	736	December 3, 2021
How can Anomaly Detector recover from huge spikes and dips? OpenSearch	0	159	October 27, 2023

Using Anomaly Detection to detect sudden increases or decreases in the amount of logs received for an index

Related topics