Skip to content

Instantly share code, notes, and snippets.

@richcollier

richcollier/alert_on_three_consecutive_anomalies.txt

Created June 3, 2022 02:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save richcollier/31e4de8773d6f9183a6cf4799836b8e0 to your computer and use it in GitHub Desktop.
Save richcollier/31e4de8773d6f9183a6cf4799836b8e0 to your computer and use it in GitHub Desktop.
Download ZIP
Alert only on 3 consecutive anomalies above a certain summed score
Raw
alert_on_three_consecutive_anomalies.txt
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1440m"
}
},
"input": {
"search": {
"request": {
"indices": [
".ml-anomalies-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"timestamp": {
"gte": "now-5y"
}
}
},
{
"term": {
"result_type": "record"
}
},
{
"term": {
"job_id": "farequote_1m"
}
}
]
}
},
"aggs": {
"by_split": {
"terms": {
"field": "partition_field_value",
"size": 10000,
"min_doc_count": 3
},
"aggs": {
"details": {
"date_histogram": {
"field": "timestamp",
"fixed_interval": "1m"
},
"aggs": {
"the_score": {
"sum": {
"field": "record_score"
}
},
"three_bucket_sum": {
"moving_fn": {
"buckets_path": "the_score",
"window": 3,
"script": "MovingFunctions.sum(values)"
}
},
"remove_low_scores": {
"bucket_selector": {
"buckets_path": {
"score": "the_score.value"
},
"script": "params.score > 40"
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"script": """
for (def splits : ctx.payload.aggregations.by_split.buckets) {
for (def details : splits.details.buckets) {
if (details.three_bucket_sum.value>=120){
return true;
}
}
}
"""
},
"actions": {
"log": {
"transform": {
"script": """
def records = new ArrayList();
for (def splits : ctx.payload.aggregations.by_split.buckets) {
def anomalies = new HashMap();
for (def details : splits.details.buckets) {
if (details.three_bucket_sum.value>=120){
anomalies.put("split",splits.key);
anomalies.put("date",details.key_as_string)
}
}
records.add(anomalies);
}
return records;
"""
},
"logging": {
"text": """
Anomalies:
==========
{{#ctx.payload._value}}
{{split}} had 3 anomalies in a row at {{date}}
{{/ctx.payload._value}}
"""
}
}
}
}
}
@richcollier
Copy link
Author

Results look like:

      "actions" : [
        {
          "id" : "log",
          "type" : "logging",
          "status" : "success",
          "transform" : {
            "type" : "script",
            "status" : "success",
            "payload" : {
              "_value" : [
                {
                  "date" : "2021-02-10T12:32:00.000Z",
                  "split" : "AAL"
                },
                {
                  "date" : "2021-02-10T19:19:00.000Z",
                  "split" : "AWE"
                },
                {
                  "date" : "2021-02-10T22:10:00.000Z",
                  "split" : "AMX"
                }
              ]
            }
          },
          "logging" : {
            "logged_text" : """
          Anomalies:
          ==========
          AAL had 3 anomalies in a row at 2021-02-10T12:32:00.000Z
          AWE had 3 anomalies in a row at 2021-02-10T19:19:00.000Z
          AMX had 3 anomalies in a row at 2021-02-10T22:10:00.000Z
           """
          }
        }
      ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment