Record Resource

An instance of an anomaly record in the API is defined by the properties listed below.

The exact fields present in the record depend on the type of analysis performed so, for example, if you do not specify a partitionFieldName in your job configuration then your results will not contain partitionFieldName or partitionFieldValue fields. Empty and null fields are not included in the record.

timestamp:

Anomaly records are produced in buckets this is the bucket’s start time. timestamp is a ISO 8601 format string e.g. 2014-07-22T06:00:00Z.

Type: Date

anomalyScore:

This is an anomaly score for the bucket time interval. The score is calculated based upon a sophisticated aggregation of the anomalies in the bucket. Use this score for rate-controlled alerting.

Type: Number

normalizedProbability:
 

The human readable version of probability. This is the probability of the individual anomaly occuring normalized with respect to all other individual anomaly records, not including historically aged anomalies. A value of 100 indicates that this anomaly was highly unlikely, and therefore highly anomalous. Use this to show a list of the most significant causal factors for an alert.

Type: Number

initialNormalizedProbability:
 

The value of normalizedProbability, fixed at the time the record result was created. This is normalized based on data which has already been seen; this is not re-normalized and therefore is not adjusted for more recent data. Use this to show the values that would have occurred if looking at the system in real-time.

Type: Number

probability:

The probability of the individual anomaly occurring. This is in the range 0 to 1. For example, 0.03 means 3%. This value is held to a high precision of over 300 decimal places. In scientific notation, a value of 3.24E-300 is highly unlikely and therefore highly anomalous.

Type: Number

function:

The function in which the anomaly occurs. See the Functions Reference for a list of the analytical functions available in the API.

Type: String

functionDescription:
 

The friendly name for the function in which the anomaly occurs, as specified in the detector configuration. Defaults to function.

Type: String

actual:

The actual value for the bucket.

Type: Number

typical:

The typical value according to analytical modeling, for the bucket.

Type: Number

fieldName:

Certain functions require a field to operate on. For those functions, this is the name of the field to be analyzed. For example, sum(bytes), min(amount) or distinct_count(clientip).

Type: String

byFieldName:

If specified in the detector, this is the name of the analyzed field.

Type: String

byFieldValue:

If specified in the detector, this is the value of the byFieldName.

Type: String

partitionFieldName:
 

If specified in the detector, this is the name of the partition field used in the analysis.

Type: String

partitionFieldValue:
 

If specified in the detector, this is the value of the partitionFieldName.

Type: String

overFieldName:

If specified in the detector, this is the name of the over field.

Type: String

overFieldValue:

If specified in the detector, this is the value of the overFieldName.

Type: String

isInterim:

If set to true then this anomaly record is interim, in other words, calculated based on partial input data. For anomaly records that are not interim, this property may be false or may not be present.

Type: Boolean

detectorIndex:

A unique identifier for the detector for which this anomaly occurs.

Type: Number

bucketSpan:

The length of the bucket in seconds, equal to the job’s bucketSpan parameter.

Type: Number

causes[]:

If an over field was specified in the detector, then this contains an array of anomaly records that are the causes for the anomaly that has been identified for the over field. This field will not be present if no over fields exist. See the section on Detector Configuration for full details on including an over field in your analysis.

This sub-resource contains the most anomalous records for the overFieldValue. For scalability reasons, a maximum of the 10 most significant causes of the anomaly will be returned. As part of the core analytical modeling, these low-level anomaly records are aggregated for their parent over field record.

The causes resource contains similar elements to the record resource, namely actual, typical, *FieldName and *FieldValue. Probability and scores are not applicable to causes.

Type: Array of Anomaly Records

influencers[]:

If influencers are specified in the Detector Configuration, then this contains an array of Influencers that contributed to, or were to blame, for the anomaly. See Best practices for selecting Influencers.

Type: Array of Influencers

Influencers

influencerFieldName:
 

The field name of the influencer type. For example, clientip or user.

Type: String

influencerFieldValues:
 

A multi-value field containing the influencers of a particular type. These contributed to, or were to blame, for the anomaly.

Type: Array of strings