Path parameters

• job_id string Required

  Identifier for the anomaly detection job.

Query parameters

• desc boolean

  If true, the results are sorted in descending order.

• end string | number

  Returns records with timestamps earlier than this time. The default value means results are not limited to specific timestamps.

• exclude_interim boolean

  If true, the output excludes interim results.

• from number

  Skips the specified number of records.

• record_score number

  Returns records with anomaly scores greater or equal than this value.

• size number

  Specifies the maximum number of records to obtain.

• sort string

  Specifies the sort field for the requested records.

• start string | number

  Returns records with timestamps after this time. The default value means results are not limited to specific timestamps.

Responses

• 200 application/json
  Hide response attributes Show response attributes object

  • count number Required
  • records array[object] Required
    Hide records attributes Show records attributes object

    • actual array[number]

      The actual value for the bucket.

    • anomaly_score_explanation object
      Hide anomaly_score_explanation attributes Show anomaly_score_explanation attributes object

      • anomaly_characteristics_impact number

        Impact from the duration and magnitude of the detected anomaly relative to the historical average.

      • anomaly_length number

        Length of the detected anomaly in the number of buckets.

      • anomaly_type string

        Type of the detected anomaly: spike or dip.

      • high_variance_penalty boolean

        Indicates reduction of anomaly score for the bucket with large confidence intervals. If a bucket has large confidence intervals, the score is reduced.

      • incomplete_bucket_penalty boolean

        If the bucket contains fewer samples than expected, the score is reduced.

      • lower_confidence_bound number

        Lower bound of the 95% confidence interval.

      • multi_bucket_impact number

        Impact of the deviation between actual and typical values in the past 12 buckets.

      • single_bucket_impact number

        Impact of the deviation between actual and typical values in the current bucket.

      • typical_value number

        Typical (expected) value for this bucket.

      • upper_confidence_bound number

        Upper bound of the 95% confidence interval.

    • bucket_span number

      Time unit for seconds

    • by_field_name string

      The field used to split the data. In particular, this property is used for analyzing the splits with respect to their own history. It is used for finding unusual values in the context of the split.

    • by_field_value string

      The value of by_field_name.

    • causes array[object]

      For population analysis, an over field must be specified in the detector. This property contains an array of anomaly records that are the causes for the anomaly that has been identified for the over field. This sub-resource contains the most anomalous records for the over_field_name. For scalability reasons, a maximum of the 10 most significant causes of the anomaly are returned. As part of the core analytical modeling, these low-level anomaly records are aggregated for their parent over field record. The causes resource contains similar elements to the record resource, namely actual, typical, geo_results.actual_point, geo_results.typical_point, *_field_name and *_field_value. Probability and scores are not applicable to causes.

      Hide causes attributes Show causes attributes object

      • actual array[number]
      • by_field_name string
      • by_field_value string
      • correlated_by_field_value string
      • field_name string

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • function string
      • function_description string
      • geo_results object
        Hide geo_results attributes Show geo_results attributes object

        • actual_point string

          The actual value for the bucket formatted as a geo_point.

        • typical_point string

          The typical value for the bucket formatted as a geo_point.

      • influencers array[object]
      • over_field_name string
      • over_field_value string
      • partition_field_name string
      • partition_field_value string
      • probability number Required
      • typical array[number]
    • detector_index number Required

      A unique identifier for the detector.

    • field_name string

      Certain functions require a field to operate on, for example, sum(). For those functions, this value is the name of the field to be analyzed.

    • function string

      The function in which the anomaly occurs, as specified in the detector configuration. For example, max.

    • function_description string

      The description of the function in which the anomaly occurs, as specified in the detector configuration.

    • geo_results object
      Hide geo_results attributes Show geo_results attributes object

      • actual_point string

        The actual value for the bucket formatted as a geo_point.

      • typical_point string

        The typical value for the bucket formatted as a geo_point.

    • influencers array[object]

      If influencers were specified in the detector configuration, this array contains influencers that contributed to or were to blame for an anomaly.

      Hide influencers attributes Show influencers attributes object

      • influencer_field_name string Required
      • influencer_field_values array[string] Required
    • initial_record_score number Required

      A normalized score between 0-100, which is based on the probability of the anomalousness of this record. This is the initial value that was calculated at the time the bucket was processed.

    • is_interim boolean Required

      If true, this is an interim result. In other words, the results are calculated based on partial input data.

    • job_id string Required

      Identifier for the anomaly detection job.

    • over_field_name string

      The field used to split the data. In particular, this property is used for analyzing the splits with respect to the history of all splits. It is used for finding unusual values in the population of all splits.

    • over_field_value string

      The value of over_field_name.

    • partition_field_name string

      The field used to segment the analysis. When you use this property, you have completely independent baselines for each value of this field.

    • partition_field_value string

      The value of partition_field_name.

    • probability number Required

      The probability of the individual anomaly occurring, in the range 0 to 1. For example, 0.0000772031. This value can be held to a high precision of over 300 decimal places, so the record_score is provided as a human-readable and friendly interpretation of this.

    • record_score number Required

      A normalized score between 0-100, which is based on the probability of the anomalousness of this record. Unlike initial_record_score, this value will be updated by a re-normalization process as new data is analyzed.

    • result_type string Required

      Internal. This is always set to record.

    • timestamp number

      Time unit for milliseconds

    • typical array[number]

      The typical value for the bucket, according to analytical modeling.