root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
elasticsearch/docs/reference/ml/anomaly-detection/ml-configuring-aggregations...

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

463 lines
15 KiB
Plaintext
Raw Normal View History

[DOCS] Fixes code snippet testing for machine learning (#31189)
2018-06-20 04:57:10 +08:00
[role="xpack"]
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[[ml-configuring-aggregation]]
[DOCS] Changes level offset of anomaly detection pages (#59911)
2020-07-21 07:33:54 +08:00
= Aggregating data for faster performance
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
By default, {dfeeds} fetch data from {es} using search and scroll requests.
It can be significantly more efficient, however, to aggregate data in {es}
[DOCS] Updates anomaly detection terminology (#44888)
2019-07-27 02:07:01 +08:00
and to configure your {anomaly-jobs} to analyze aggregated data.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
One of the benefits of aggregating data this way is that {es} automatically
distributes these calculations across your cluster. You can then feed this
[DOCS] Cleans up xpackml attributes
2019-01-08 06:32:36 +08:00
aggregated data into the {ml-features} instead of raw results, which
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
reduces the volume of data that must be considered while detecting anomalies.
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
TIP: If you use a terms aggregation and the cardinality of a term is high but
still significantly less than your total number of documents, use
{ref}/search-aggregations-bucket-composite-aggregation.html[composite aggregations]
experimental:[Support for composite aggregations inside datafeeds is currently experimental].
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[discrete]
[[aggs-limits-dfeeds]]
[DOCS] Changes level offset of anomaly detection pages (#59911)
2020-07-21 07:33:54 +08:00
== Requirements and limitations
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
There are some limitations to using aggregations in {dfeeds}.
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
Your aggregation must include a `date_histogram` aggregation or a top level `composite` aggregation,
which in turn must contain a `max` aggregation on the time field.
This requirement ensures that the aggregated data is a time series and the timestamp
of each bucket is the time of the last record in the bucket.
IMPORTANT: The name of the aggregation and the name of the field that it
operates on need to match, otherwise the aggregation doesn't work. For example,
if you use a `max` aggregation on a time field called `responsetime`, the name
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
of the aggregation must be also `responsetime`.
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
You must consider the interval of the `date_histogram` or `composite`
aggregation carefully. The bucket span of your {anomaly-job} must be divisible
by the value of the `calendar_interval` or `fixed_interval` in your aggregation
(with no remainder). If you specify a `frequency` for your {dfeed},
it must also be divisible by this interval. {anomaly-jobs-cap} cannot use
`date_histogram` or `composite` aggregations with an interval measured in months
because the length of the month is not fixed; they can use weeks or smaller units.
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
TIP: As a rule of thumb, if your detectors use <<ml-metric-functions,metric>> or
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
<<ml-sum-functions,sum>> analytical functions, set the `date_histogram` or `composite`
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
aggregation interval to a tenth of the bucket span. This suggestion creates
finer, more granular time buckets, which are ideal for this type of analysis. If
your detectors use <<ml-count-functions,count>> or <<ml-rare-functions,rare>>
functions, set the interval to the same value as the bucket span.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
If your <<aggs-dfeeds,{dfeed} uses aggregations with nested `terms` aggs>> and
model plot is not enabled for the {anomaly-job}, neither the **Single Metric
Viewer** nor the **Anomaly Explorer** can plot and display an anomaly
chart for the job. In these cases, the charts are not visible and an explanatory
[DOCS] Adds UI related limitation to configuring aggs docs (#65184) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-11-21 02:03:18 +08:00
message is shown.
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
Your {dfeed} can contain multiple aggregations, but only the ones with names
that match values in the job configuration are fed to the job.
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[discrete]
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
[[aggs-using-date-histogram]]
=== Including aggregations in {anomaly-jobs}
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[DOCS] Updates anomaly detection terminology (#44888)
2019-07-27 02:07:01 +08:00
When you create or update an {anomaly-job}, you can include the names of
aggregations, for example:
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[DOCS] Change // CONSOLE comments to [source,console] (#46441)
2019-09-06 22:55:16 +08:00
[source,console]
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
----------------------------------
[ML] Deprecate X-Pack centric ML endpoints (#36315) This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. Relates #35958
2018-12-08 04:34:11 +08:00
PUT _ml/anomaly_detectors/farequote
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
{
"analysis_config": {
"bucket_span": "60m",
"detectors": [{
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
"function": "mean",
[DOCS] Makes the description clearer on how to use aggregations in an anomaly detection job (#53103) Co-authored-by: lcawl <lcawley@elastic.co>
2020-03-09 16:48:23 +08:00
"field_name": "responsetime", <1>
"by_field_name": "airline" <1>
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}],
Fix summary_count_field -> summary_count_field_name typo (elastic/x-pack-elasticsearch#2588) Original commit: elastic/x-pack-elasticsearch@689be8c33a08ecf836f9305efc36a5ca21eca73f
2017-09-21 23:44:19 +08:00
"summary_count_field_name": "doc_count"
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
},
"data_description": {
[DOCS] Makes the description clearer on how to use aggregations in an anomaly detection job (#53103) Co-authored-by: lcawl <lcawley@elastic.co>
2020-03-09 16:48:23 +08:00
"time_field":"time" <1>
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
},
"datafeed_config":{
"indices": ["farequote"],
"aggregations": {
"buckets": {
"date_histogram": {
"field": "time",
"fixed_interval": "360s",
"time_zone": "UTC"
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
},
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
"aggregations": {
"time": { <2>
"max": {"field": "time"}
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
},
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
"airline": { <3>
"terms": {
"field": "airline",
"size": 100
},
"aggregations": {
"responsetime": { <4>
"avg": {
"field": "responsetime"
}
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}
}
}
}
}
}
}
}
----------------------------------
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
// TEST[skip:setup:farequote_data]
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
<1> The `airline`, `responsetime`, and `time` fields are aggregations. Only the
aggregated fields defined in the `analysis_config` object are analyzed by the
{anomaly-job}.
<2> The aggregations have names that match the fields that they operate on. The
[DOCS] Makes the footnotes less verbose in configuring aggs page. (#55857)
2020-04-29 15:50:41 +08:00
`max` aggregation is named `time` and its field also needs to be `time`.
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
<3> The `term` aggregation is named `airline` and its field is also named
[DOCS] Makes the footnotes less verbose in configuring aggs page. (#55857)
2020-04-29 15:50:41 +08:00
`airline`.
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
<4> The `avg` aggregation is named `responsetime` and its field is also named
[DOCS] Makes the footnotes less verbose in configuring aggs page. (#55857)
2020-04-29 15:50:41 +08:00
`responsetime`.
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
When the `summary_count_field_name` property is set to a non-null value, the job
expects to receive aggregated input. The property must be set to the name of the
field that contains the count of raw data points that have been aggregated. It
applies to all detectors in the job.
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
TIP: If you are using a `term` aggregation to gather influencer or partition
field information, consider using a `composite` aggregation. It performs
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
better than a `date_histogram` with a nested `term` aggregation and also
includes all the values of the field instead of the top values per bucket.
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
[discrete]
[[aggs-using-composite]]
=== Using composite aggregations in {anomaly-jobs}
experimental::[]
For `composite` aggregation support, there must be exactly one `date_histogram` value
source. That value source must not be sorted in descending order. Additional
`composite` aggregation value sources are allowed, such as `terms`.
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
NOTE: A {dfeed} that uses composite aggregations may not be as performant as
{dfeeds} that use scrolling or date histogram aggregations. Composite
aggregations are optimized for queries that are either `match_all` or `range`
filters. Other types of
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
queries may cause the `composite` aggregation to be ineffecient.
Here is an example that uses a `composite` aggregation instead of a
`date_histogram`.
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
This is an example of a job with a {dfeed} that uses a `composite` aggregation
to bucket the metrics based on time and terms:
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
[source,console]
----------------------------------
PUT _ml/anomaly_detectors/farequote-composite
{
"analysis_config": {
"bucket_span": "60m",
"detectors": [{
"function": "mean",
"field_name": "responsetime",
"by_field_name": "airline"
}],
"summary_count_field_name": "doc_count"
},
"data_description": {
"time_field":"time"
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
},
"datafeed_config":{
"indices": ["farequote"],
"aggregations": {
"buckets": {
"composite": {
"size": 1000, <1>
"sources": [
{
"time_bucket": { <2>
"date_histogram": {
"field": "time",
"fixed_interval": "360s",
"time_zone": "UTC"
}
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
}
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
},
{
"airline": { <3>
"terms": {
"field": "airline"
}
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
}
}
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
]
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
},
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
"aggregations": {
"time": { <4>
"max": {
"field": "time"
}
},
"responsetime": { <5>
"avg": {
"field": "responsetime"
}
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
}
}
}
}
}
}
----------------------------------
<1> Provide the `size` to the composite agg to control how many resources
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
are used when aggregating the data. A larger `size` means a faster {dfeed} but
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
more cluster resources are used when searching.
<2> The required `date_histogram` composite aggregation source. Make sure it
is named differently than your desired time field.
<3> Instead of using a regular `term` aggregation, adding a composite
aggregation `term` source with the name `airline` works. Note its name
is the same as the field.
<4> The required `max` aggregation whose name is the time field in the
job analysis config.
<5> The `avg` aggregation is named `responsetime` and its field is also named
`responsetime`.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[discrete]
[[aggs-dfeeds]]
[DOCS] Changes level offset of anomaly detection pages (#59911)
2020-07-21 07:33:54 +08:00
== Nested aggregations in {dfeeds}
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
{dfeeds-cap} support complex nested aggregations. This example uses the
`derivative` pipeline aggregation to find the first order derivative of the
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
counter `system.network.out.bytes` for each value of the field `beat.name`.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
NOTE: `derivative` or other pipeline aggregations may not work within `composite`
aggregations. See
{ref}/search-aggregations-bucket-composite-aggregation.html#search-aggregations-bucket-composite-aggregation-pipeline-aggregations[composite aggregations and pipeline aggregations].
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[source,js]
----------------------------------
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
"aggregations": {
"beat.name": {
"terms": {
"field": "beat.name"
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
},
"aggregations": {
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
"buckets": {
"date_histogram": {
"field": "@timestamp",
Force selection of calendar or fixed intervals in date histo agg (#33727) The date_histogram accepts an interval which can be either a calendar interval (DST-aware, leap seconds, arbitrary length of months, etc) or fixed interval (strict multiples of SI units). Unfortunately this is inferred by first trying to parse as a calendar interval, then falling back to fixed if that fails. This leads to confusing arrangement where `1d` == calendar, but `2d` == fixed. And if you want a day of fixed time, you have to specify `24h` (e.g. the next smallest unit). This arrangement is very error-prone for users. This PR adds `calendar_interval` and `fixed_interval` parameters to any code that uses intervals (date_histogram, rollup, composite, datafeed, etc). Calendar only accepts calendar intervals, fixed accepts any combination of units (meaning `1d` can be used to specify `24h` in fixed time), and both are mutually exclusive. The old interval behavior is deprecated and will throw a deprecation warning. It is also mutually exclusive with the two new parameters. In the future the old dual-purpose interval will be removed. The change applies to both REST and java clients.
2019-05-07 05:17:11 +08:00
"fixed_interval": "5m"
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
},
"aggregations": {
"@timestamp": {
"max": {
"field": "@timestamp"
}
},
"bytes_out_average": {
"avg": {
"field": "system.network.out.bytes"
}
},
"bytes_out_derivative": {
"derivative": {
"buckets_path": "bytes_out_average"
}
}
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}
}
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
}
}
}
----------------------------------
// NOTCONSOLE
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[discrete]
[[aggs-single-dfeeds]]
[DOCS] Changes level offset of anomaly detection pages (#59911)
2020-07-21 07:33:54 +08:00
== Single bucket aggregations in {dfeeds}
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
{dfeeds-cap} not only supports multi-bucket aggregations, but also single bucket
aggregations. The following shows two `filter` aggregations, each gathering the
number of unique entries for the `error` field.
ML: Add support for single bucket aggs in Datafeeds (#37544) Single bucket aggs are now supported in datafeed aggregation configurations.
2019-01-19 05:08:53 +08:00
[source,js]
----------------------------------
{
"job_id":"servers-unique-errors",
"indices": ["logs-*"],
"aggregations": {
"buckets": {
"date_histogram": {
"field": "time",
"interval": "360s",
"time_zone": "UTC"
},
"aggregations": {
"time": {
"max": {"field": "time"}
}
"server1": {
"filter": {"term": {"source": "server-name-1"}},
"aggregations": {
"server1_error_count": {
"value_count": {
"field": "error"
}
}
}
},
"server2": {
"filter": {"term": {"source": "server-name-2"}},
"aggregations": {
"server2_error_count": {
"value_count": {
"field": "error"
}
}
}
}
}
}
}
}
----------------------------------
// NOTCONSOLE
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[discrete]
[[aggs-define-dfeeds]]
[DOCS] Changes level offset of anomaly detection pages (#59911)
2020-07-21 07:33:54 +08:00
== Defining aggregations in {dfeeds}
[DOCS] Provides further details on aggregations in datafeeds (#55462) Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-04-22 14:53:34 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
When you define an aggregation in a {dfeed}, it must have one of the following forms:
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
When using a `date_histogram` aggregation to bucket by time:
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
[source,js]
----------------------------------
"aggregations": {
["bucketing_aggregation": {
"bucket_agg": {
...
},
[DOCS] Update datafeed details in ML docs (#76854)
2021-08-26 02:35:21 +08:00
"aggregations": {
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
"data_histogram_aggregation": {
"date_histogram": {
"field": "time",
},
"aggregations": {
"timestamp": {
"max": {
"field": "time"
}
},
[,"<first_term>": {
"terms":{...
}
[,"aggregations" : {
[<sub_aggregation>]+
} ]
}]
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
}
}
}
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}
----------------------------------
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
// NOTCONSOLE
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
When using a `composite` aggregation:
[source,js]
----------------------------------
"aggregations": {
"composite_agg": {
"sources": [
{
"date_histogram_agg": {
"field": "time",
...settings...
}
},
...other valid sources...
],
...composite agg settings...,
"aggregations": {
"timestamp": {
"max": {
"field": "time"
}
},
...other aggregations...
[
[,"aggregations" : {
[<sub_aggregation>]+
} ]
}]
}
}
}
----------------------------------
// NOTCONSOLE
The top level aggregation must be exclusively one of the following:
[DOCS] Fixes bulleted list in ML aggregations (#75806)
2021-07-29 02:29:48 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
* A {ref}/search-aggregations-bucket.html[bucket aggregation] containing a single
sub-aggregation that is a `date_histogram`
* A top level aggregation that is a `date_histogram`
[DOCS] Fixes bulleted list in ML aggregations (#75806)
2021-07-29 02:29:48 +08:00
* A top level aggregation is a `composite` aggregation
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
There must be exactly one `date_histogram`, `composite` aggregation. For more information, see
{ref}/search-aggregations-bucket-datehistogram-aggregation.html[Date histogram aggregation] and
{ref}/search-aggregations-bucket-composite-aggregation.html[Composite aggregation].
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
NOTE: The `time_zone` parameter in the date histogram aggregation must be set to
`UTC`, which is the default value.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
Each histogram or composite bucket has a key, which is the bucket start time.
This key cannot be used for aggregations in {dfeeds}, however, because
they need to know the time of the latest record within a bucket.
Otherwise, when you restart a {dfeed}, it continues from the start time of the
histogram or composite bucket and possibly fetches the same data twice.
The max aggregation for the time field is therefore necessary to provide
the time of the latest record within a bucket.
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
You can optionally specify a terms aggregation, which creates buckets for
different values of a field.
IMPORTANT: If you use a terms aggregation, by default it returns buckets for
the top ten terms. Thus if the cardinality of the term is greater than 10, not
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
all terms are analyzed. In this case, consider using `composite` aggregations
experimental:[Support for composite aggregations inside datafeeds is currently experimental].
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
You can change this behavior by setting the `size` parameter. To
determine the cardinality of your data, you can run searches such as:
[source,js]
--------------------------------------------------
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
GET .../_search
[DOCS] Fixes example aggregation syntax in datafeed aggregations. (#64936)
2020-11-11 23:33:36 +08:00
{
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
"aggs": {
"service_cardinality": {
"cardinality": {
"field": "service"
[DOCS] Fixes example aggregation syntax in datafeed aggregations. (#64936)
2020-11-11 23:33:36 +08:00
}
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
}
}
}
--------------------------------------------------
[ML][DOCS] Add example of top N derivative aggregation (#31109) Add example of top N derivative aggregation to the ML datafeed docs
2018-06-06 20:21:16 +08:00
// NOTCONSOLE
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
By default, {es} limits the maximum number of terms returned to 10000. For high
cardinality fields, the query might not run. It might return errors related to
circuit breaking exceptions that indicate that the data is too large. In such
[ML] adding support for composite aggs in anomaly detection (#69970) This commit allows for composite aggregations in datafeeds. Composite aggs provide a much better solution for having influencers, partitions, etc. on high volume data. Instead of worrying about long scrolls in the datafeed, the calculation is distributed across cluster via the aggregations. The restrictions for this support are as follows: - The composite aggregation must have EXACTLY one `date_histogram` source - The sub-aggs of the composite aggregation must have a `max` aggregation on the SAME timefield as the aforementioned `date_histogram` source - The composite agg must be the ONLY top level agg and it cannot have a `composite` or `date_histogram` sub-agg - If using a `date_histogram` to bucket time, it cannot have a `composite` sub-agg. - The top-level `composite` agg cannot have a sibling pipeline agg. Pipeline aggregations are supported as a sub-agg (thus a pipeline agg INSIDE the bucket). Some key user interaction differences: - Speed + resources used by the cluster should be controlled by the `size` parameter in the `composite` aggregation. Previously, we said if you are using aggs, use a specific `chunking_config`. But, with composite, that is not necessary. - Users really shouldn't use nested `terms` aggs anylonger. While this is still a "valid" configuration and MAY be desirable for some users (only wanting the top 10 of certain terms), typically when users want influencers, partition fields, etc. they want the ENTIRE population. Previously, this really wasn't possible with aggs, with `composite` it is. - I cannot really think of a typical usecase that SHOULD ever use a multi-bucket aggregation that is NOT supported by composite.
2021-03-30 20:25:40 +08:00
cases, use `composite` aggregations in your {dfeed}. For more information, see
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
{ref}/search-aggregations-bucket-terms-aggregation.html[Terms aggregation].
[DOCS] Add details about using aggregations with machine learning (elastic/x-pack-elasticsearch#1446) * [DOCS] Add ML aggregations configuration scenario * [DOCS] Refine ML configuration page * [DOCS] Add ML aggregation details * [DOCS] Add links to aggregations in Configuring ML * [DOCS] Address feedback about ML aggregations Original commit: elastic/x-pack-elasticsearch@847414409371d7c73fb332aab8d58f4284a9b61e
2017-05-24 05:34:21 +08:00
[DOCS] Clarify interval, frequency, and bucket span in ML APIs and example (#51280)
2020-01-23 00:08:31 +08:00
You can also optionally specify multiple sub-aggregations. The sub-aggregations
are aggregated for the buckets that were created by their parent aggregation.
For more information, see {ref}/search-aggregations.html[Aggregations].