Alerts from the Machine Learning UI in Kibana

In this section, we will go through several Alerting techniques, but we should first start with the simplest method and later move up in complexity. The first method of getting an alert tied to your ML job is to use the built-in alert wizard in the Machine Learning UI. There are two places to invoke this wizard:

  • After clicking the Create new job button in one of the job creation wizards (Single metric job, Multi metric job, Population job, and so on)
  • When starting a previously stopped datafeed in the ML job listing page, as shown in the following screenshot:

In either case, the option to create an alert (a watch) via the UI is only available when the ML job is set to run in Continue job in real time, meaning that the job will be scheduled to run continually (otherwise, Alerting really doesn't make sense). The UI only asks for a few inputs from the user:

  • Time range: Defaulting to a range of now-2 × bucket span, although the UI will show the 2 × bucket span as a numerical value based on the actual bucket span of the job. This is sensible under most circumstances. The true minimum of this range should be now -(bucket span + query delay), as long as the query delay in the datafeed setting is no greater than the bucket span. Since the watch will have its own schedule and runs asynchronously from the ML job, it is important that this range of time does not miss any results in the .ml-anomalies indices, since we already know that results are written with a timestamp that is the leading edge of the bucket.
  • Severity threshold: This gives the user the opportunity to alert on a minimum bucket anomaly score. For example, setting the value to critical means that the watch will only fire if the bucket anomaly score is greater than or equal to 75.
  • Send email: If checked and your cluster has been configured to send emails, this will allow the watch action to email an alert to the recipient, in addition to logging the message to a file.
Instructions for sending an email in Watcher can be found in the online documentation at https://www.elastic.co/guide/en/elasticsearch/reference/current/notification-settings.html#email-notification-settings.

After creating the watch from the ML UI, the watch is viewable, editable, and can be tested/simulated via the Watcher UI (or via the API, of course). Let's take a moment to inspect the contents of the watch that ML creates. By doing so, we can understand the details of what the watch is doing, and also use this knowledge to create more detailed, complex watches.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.78.155