opendistro-for-elasticsearch/anomaly-detection

Alerts for change in traffic pattern

ahemanna opened this issue · 4 comments

ahemanna commented

Hello,

This is not really an issue, but more of how-to/is-it-possible-to kind of question. Apologies if it does not belong here.

We are using AWS elasticsearch for log analysis and I'm looking for a way to set up alerts whenever there is a change in traffic pattern; say for example rise/drop in traffic by a margin of 50%. Is this something that's possible? If yes could you please point me to some reference on how this could be done?

I am able to set up alerts based on some condition like HTTP status code for example using alerts. But not change in traffic pattern. Appreciate if you could point me in the right direction.

Thank you.

wnbts commented

Hi, thank you for your interests.

  1. The alerting project is https://github.com/opendistro-for-elasticsearch/alerting . Setting up an alert for traffic should be similar to one for http status code. The aggregation might be a count of requests. It is unclear to me if alerting allows a condition like 50% margin.
  2. Anomaly detection can also be used for monitoring traffic since a rise/drop can be an anomaly. But anomaly detection doesn't accept explicit rules for it instead uses machine learning to detect changes so the results might not exactly match those from hard rules. You are welcome to give it a try.
  • 👍1
ahemanna commented

@wnbts Thank you for your response.

  1. Currently I am using opendistro's alerting feature to set up an alert for rise/drop in traffic. But the thresholds will have to be manually determined and configured in the trigger.
  2. I did play around with the anomaly detector and I see as per the docs the supported aggregation methods are average(), count(), sum(), min() and max() under features. But I don't see the count() method in the dropdown.

image

wnbts commented

Thanks for your interests in using anomaly detection. count aggregation was not supported in an earlier version of kibana and is added in 1.8 or later versions. If you do not wish to/cannot try new versions, the workaround for the earlier version is to use Custom Expression rather than Field value and then add an expression like the following.

{
    "<agg name>": {
        "value_count": {
            "field": "<field name>"
        }
    }
}
ahemanna commented

@wnbts Thanks for this. I can play around with this.

I'll close this issue and report if I face any more challenges. Thank you once again :)