Get anomaly detection job results for influencers Generally available; Added in 5.4.0

GET /_ml/anomaly_detectors/{job_id}/results/influencers
Api key auth Basic auth Bearer auth

Influencers are the entities that have contributed to, or are to blame for, the anomalies. Influencer results are available only if an influencer_field_name is specified in the job configuration.

Required authorization

  • Cluster privileges: monitor_ml

Path parameters

  • job_id string Required

    Identifier for the anomaly detection job.

Query parameters

  • desc boolean

    If true, the results are sorted in descending order.

  • end string | number

    Returns influencers with timestamps earlier than this time. The default value means it is unset and results are not limited to specific timestamps.

  • exclude_interim boolean

    If true, the output excludes interim results. By default, interim results are included.

  • influencer_score number

    Returns influencers with anomaly scores greater than or equal to this value.

  • from number

    Skips the specified number of influencers.

  • size number

    Specifies the maximum number of influencers to obtain.

  • sort string

    Specifies the sort field for the requested influencers. By default, the influencers are sorted by the influencer_score value.

  • start string | number

    Returns influencers with timestamps after this time. The default value means it is unset and results are not limited to specific timestamps.

application/json

Body

  • page object
    Hide page attributes Show page attributes object
    • from number

      Skips the specified number of items.

    • size number

      Specifies the maximum number of items to obtain.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • count number Required
    • influencers array[object] Required

      Array of influencer objects

      Hide influencers attributes Show influencers attributes object
      • bucket_span number

        Time unit for seconds

      • influencer_score number Required

        A normalized score between 0-100, which is based on the probability of the influencer in this bucket aggregated across detectors. Unlike initial_influencer_score, this value is updated by a re-normalization process as new data is analyzed.

      • influencer_field_name string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • influencer_field_value string Required

        The entity that influenced, contributed to, or was to blame for the anomaly.

      • initial_influencer_score number Required

        A normalized score between 0-100, which is based on the probability of the influencer aggregated across detectors. This is the initial value that was calculated at the time the bucket was processed.

      • is_interim boolean Required

        If true, this is an interim result. In other words, the results are calculated based on partial input data.

      • job_id string Required
      • probability number Required

        The probability that the influencer has this behavior, in the range 0 to 1. This value can be held to a high precision of over 300 decimal places, so the influencer_score is provided as a human-readable and friendly interpretation of this value.

      • result_type string Required

        Internal. This value is always set to influencer.

      • timestamp number

        Time unit for milliseconds

      • foo string

        Additional influencer properties are added, depending on the fields being analyzed. For example, if it’s analyzing user_name as an influencer, a field user_name is added to the result document. This information enables you to filter the anomaly results more easily.
GET /_ml/anomaly_detectors/{job_id}/results/influencers 
GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers
{
  "sort": "influencer_score",
  "desc": true
}
resp = client.ml.get_influencers(
    job_id="high_sum_total_sales",
    sort="influencer_score",
    desc=True,
)
const response = await client.ml.getInfluencers({
  job_id: "high_sum_total_sales",
  sort: "influencer_score",
  desc: true,
});
response = client.ml.get_influencers(
  job_id: "high_sum_total_sales",
  body: {
    "sort": "influencer_score",
    "desc": true
  }
)
$resp = $client->ml()->getInfluencers([
    "job_id" => "high_sum_total_sales",
    "body" => [
        "sort" => "influencer_score",
        "desc" => true,
    ],
]);
curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"sort":"influencer_score","desc":true}' "$ELASTICSEARCH_URL/_ml/anomaly_detectors/high_sum_total_sales/results/influencers"
Request example
An example body for a `GET _ml/anomaly_detectors/high_sum_total_sales/results/influencers` request. 
{
  "sort": "influencer_score",
  "desc": true
}