Results Exploration

Anomaly Search Summary

The Anomaly Search Summary window contains the results for the anomaly searches that are configured within the Jobs window.

Anomaly Search Summary

Screen 20: Anomaly Search Summary

Selecting a time range

You must select a time range within which to view results. As with any Kibana and Elasticsearch query, the user can easily select the timeframe of interest: in our case we selected a month timeframe, as screen 21 depicts. There are quick definitions for common timeframes as well to make it more convenient for the user to navigate to a place in their data. With the Kibana default, the last 15 minutes will be selected. If you do not have anomaly results available for the timeframe selected, then you will need to expand the time frame.

Anomaly Search Summary >> Timeframe setting

Screen 21: Anomaly Search Summary >> Timeframe setting

Selecting jobs

All Anomaly Search Jobs are displayed by default. To narrow this focus, use the job picker in the top navigation bar to select jobs.

Anomaly Search Summary >> Job Picker

Event rate

The event rate section (screen 22) presents a bulk view for major groupings of the event rate for each of the jobs that have been created. The legend on the right lists the jobs for this timeframe that have data. Hovering over a part of the bar graph pops up details for the selected time showing the job name, timestamp and average event count per minute.

Anomaly Search Summary >> Event rate

Screen 22: Anomaly Search Summary >> Event rate

Anomaly score by job

The Anomaly Score by job section of the Summary view (screen 25 below) shows anomalies per job. The view uses a swimming lane approach to temporally align job scoring alongside one another. This section is valuable to aid in understanding how different anomalies scored relative to others and when they occurred. Hovering over a swim lane interval will pop up summary information for that interval that contains the job name and its maximum anomaly score.

Clicking on a swim lane block will take you to the Anomaly Explorer window for a detailed analysis of the selected job.

Anomaly Search Summary >> Anomaly score by job

Screen 25: Anomaly Search Summary >> Anomaly score by job

Anomaly Score by influencer type

The Anomaly Score by influencer type section (screen 26 below) depicts a scoring for all associated influencers across all the jobs displayed in the window. Hovering over an item in the swim lane displays a popup containing the maximum anomaly scoring for that interval on that influencer, and the top field values for that influencer type. Where this visualization is immensely valuable is understanding common influencers for a set of anomalies.

Clicking on a swim lane block will take you to the Anomaly Explorer window for further detailed analysis.

Anomaly Search Summary >> Anomaly score by influencer type

Screen 26: Anomaly Search Summary >> Anomaly score by influencer type

Anomaly Explorer

The Anomaly Explorer window enables deep dive exploration of the Anomaly search results. The Explorer consists of three sections: an anomaly timeline, a display of the top influencers, and a complete listing of all anomalies. Screen 27 depicts the Anomaly Explorer view.

Anomaly Explorer

Screen 27: Anomaly Explorer

Anomaly timeline

The Anomaly timeline section (screen 28) depicts the scoring timeline across the detectors and fields used in the analysis for the selected jobs. Hovering over a scoring marker pops up details with the maximum probability score for the time interval indicated. Use the drop down menus at the top of the timeline to change whether to view results across detectors or the various fields used in the analysis, as well as to alter the time interval used in aggregating the data.

This view will show the most anomalous periods for each detector. Hint: When defining a detector for a job, use an easy-to-understand detector description.

Anomaly Explorer >> Anomaly timeline

Screen 28: Anomaly Explorer >> Anomaly timeline

Influencers List

The Influencers list (depicted in screen 29) enables the user to see the impact of each influencer across anomaly searches. The length of each line along with the score and color is indicative of its statistical relevance to the job(s) they are associated with.

Anomaly Explorer >> Influencers

Screen 29: Anomaly Explorer >> Influencers

Anomalies list

The Anomalies list contains a summarized view of the anomalies found (depicted in Screen 30).

By default, this view is filtered to show anomalies that have a minor severity and above (as pictured). Use the Severity threshold drop down to change this filter.

By default, this view shows the biggest anomaly within a certain time interval in order to reduce the number of anomalies shown in the table. Selecting Auto will pick the most appropriate time interval for the date range. This can be by hour or by day. If you wish to view all anomaly results, then select Show All.

Anomaly Explorer >> Anomalies

Screen 30: Anomaly Explorer >> Anomalies

Anomaly event details

Expand a row in the Anomalies table to view all anomaly details. See screen 31.

If you have a custom dashboard containing your original source data, and have configured a Custom URL in the job configuration, then you can click on Open Link to drill through to your source data for this time period and the selected entity.

Anomaly Explorer >> Anomaly summary expanded sections

Screen 31: Anomaly Explorer >> Anomaly summary expanded sections