Bucket Resource

An instance of a bucket result in the API is defined by the following properties:

timestamp:

The start time of the bucket in ISO 8601 format, e.g. 2015-12-22T06:00:00Z.

Type: Date

anomalyScore:

The aggregated and normalized anomaly score. All the anomaly records in the bucket contribute to this score.

Type: Number

initialAnomalyScore:
 

The value of anomalyScore, fixed at the time the bucket result was created. This is normalized based on data which has already been seen; this is not re-normalized and therefore is not adjusted for more recent data. Use this to show the values that would have occurred if looking at the system in real-time.

Type: Number

maxNormalizedProbability:
 

The maximum normalized probability value for the records within this bucket. This identifies the most unusual anomaly record within the bucket but does not account for the quantity or correlation of unusual things that occurred.

Type: Number

recordCount:

The number of anomaly records in this bucket.

Type: Unsigned Int

eventCount:

The number of input data records processed in this bucket.

Type: Unsigned Int

isInterim:

If set to true then this bucket result is interim, in other words, calculated based on partial input data. For results that are not interim, this property may be false or may not be present.

Type: Boolean

bucketSpan:

The length of the bucket in seconds, equal to the job’s bucketSpan parameter.

Type: Unsigned Int

bucketInfluencers[]:
 

A bucketInfluencer is the statistically aggregated and normalized view of the combined anomalousness of an influencer type. All anomalous buckets contain a result for bucketTime, which represents the overall anomalousness of the bucket time interval. Other bucketInfluencers will be present when influencers have been configured for a job. See Bucket Influencers.

Type: Array of Bucket Influencers

records[]:

If the expand query option was used then this field will be an array of anomaly records. If expand was not used then this field will not be present. See Bucket Resource Expansion.

Type: Array of Anomaly Records

processingTimeMs:
 

The time in milliseconds taken by the analytics engine analysing the bucket contents and producing results.

Type: Unsigned Int

Bucket Influencers

anomalyScore:

The aggregated and normalized anomaly score for the influencer type. All the anomaly records in the bucket for this influencer type contribute to this score.

Type: Number

influencerFieldName:
 

The field name of the influencer type. e.g. user or clientip. A value of bucketTime represents the overall anomalousness of the time interval.

Type: String

probability:

The probability of the anomalousness of the influencer type.

Type: Number