Reserved field names

If you are retrieving results programmatically using the REST API, there is very little restriction on the field names you can analyze. However, due to the way Kibana field mappings work, if you want to view results using the Behavioral Analytics UI then it is best if you avoid field names that are used in Prelert configuration or results documents. The full list of these is below. For example, if you were to define a detector to analyze the field inputFieldCount in your own data, then you would find certain parts of the navigation around results describing anomalies in inputFieldCount did not work correctly in the UI. In this case the anomalies would still be found and be accessible through the REST API; only UI navigation is impaired.

Alphabetical list of reserved field names

  • @timestamp
  • actual
  • aggregations
  • aggs
  • analysisConfig
  • analysisLimits
  • anomalyScore
  • arguments
  • backgroundPersistInterval
  • baseUrl
  • batchSpan
  • boundsPercentile
  • bucketAllocationFailuresCount
  • bucketCount
  • bucketInfluencers
  • bucketSpan
  • bucketTime
  • byFieldName
  • byFieldValue
  • categorizationExamplesLimit
  • categorizationFieldName
  • categorizationFilters
  • categoryId
  • causes
  • correlatedByFieldValue
  • counts
  • customSettings
  • dataDescription
  • dataSource
  • dataSourceCompatibility
  • debugFeature
  • debugLower
  • debugMedian
  • debugUpper
  • detectorDescription
  • detectorIndex
  • detectors
  • encryptedPassword
  • eventCount
  • examples
  • excludedRecordCount
  • failedTransformCount
  • fieldDelimiter
  • fieldName
  • filePath
  • finishedTime
  • format
  • frequency
  • function
  • functionDescription
  • ignoreDowntime
  • indexes
  • influencerFieldName
  • influencerFieldValue
  • influencerFieldValues
  • influencers
  • initialAnomalyScore
  • initialNormalizedProbability
  • inputBytes
  • inputFieldCount
  • inputRecordCount
  • inputs
  • invalidDateCount
  • isInterim
  • jobId
  • lastDataTime
  • latency
  • latestRecordTimeStamp
  • latestResultTimeStamp
  • logTime
  • maxMatchingLength
  • maxNormalizedProbability
  • memoryStatus
  • missingFieldCount
  • modelBytes
  • modelDebugConfig
  • modelMemoryLimit
  • modelSizeStats
  • modelSnapshotRetentionDays
  • multivariateByFields
  • normalizedProbability
  • outOfOrderTimeStampCount
  • outputs
  • overFieldName
  • overFieldValue
  • overlappingBuckets
  • partitionFieldName
  • partitionFieldValue
  • period
  • probability
  • processedFieldCount
  • processedRecordCount
  • quantileState
  • query
  • queryDelay
  • quoteCharacter
  • rawAnomalyScore
  • recordCount
  • records
  • regex
  • renormalizationWindowDays
  • restorePriority
  • resultFinalizationWindow
  • resultsRetentionDays
  • retrieveWholeSource
  • schedulerConfig
  • schedulerStatus
  • script_fields
  • scrollSize
  • snapshotDocCount
  • snapshotId
  • summaryCountFieldName
  • tailFile
  • terms
  • timeField
  • timeFormat
  • timeout
  • totalByFieldCount
  • totalOverFieldCount
  • totalPartitionFieldCount
  • transform
  • transforms
  • types
  • typical
  • useNull
  • writeTo