异常结果映射
当您在“自定义结果索引”窗格中选择“启用自定义结果索引”框时,异常检测插件会将结果保存到您选择的索引中。当异常检测器未检测到异常时,结果格式如下:
{
"detector_id": "kzcZ43wBgEQAbjDnhzGF",
"schema_version": 5,
"data_start_time": 1635898161367,
"data_end_time": 1635898221367,
"feature_data": [
{
"feature_id": "processing_bytes_max",
"feature_name": "processing bytes max",
"data": 2322
},
{
"feature_id": "processing_bytes_avg",
"feature_name": "processing bytes avg",
"data": 1718.6666666666667
},
{
"feature_id": "processing_bytes_min",
"feature_name": "processing bytes min",
"data": 1375
},
{
"feature_id": "processing_bytes_sum",
"feature_name": "processing bytes sum",
"data": 5156
},
{
"feature_id": "processing_time_max",
"feature_name": "processing time max",
"data": 31198
}
],
"execution_start_time": 1635898231577,
"execution_end_time": 1635898231622,
"anomaly_score": 1.8124904404395776,
"anomaly_grade": 0,
"confidence": 0.9802940756605277,
"entity": [
{
"name": "process_name",
"value": "process_3"
}
],
"model_id": "kzcZ43wBgEQAbjDnhzGF_entity_process_3",
"threshold": 1.2368549346675202
}
响应正文字段
| 字段 | 描述 |
|---|---|
detector_id | 用于识别检测器的唯一 ID。 |
schema_version | 结果索引的映射版本。 |
data_start_time | 聚合数据检测范围的起始时间。 |
data_end_time | 聚合数据检测范围的结束时间。 |
feature_data | 在 data_start_time 和 data_end_time 之间聚合数据点的数组。 |
execution_start_time | 检测器在特定运行中产生异常结果的实际开始时间。此开始时间包括您可以设置以延迟数据收集的窗口延迟参数。窗口延迟是 execution_start_time 和 data_start_time 之间的差值。 |
execution_end_time | 检测器在特定运行中产生异常结果的实际结束时间。 |
anomaly_score | 表示异常的相对严重程度。分数越高,数据点越异常。 |
anomaly_grade | anomaly_score 的归一化版本,范围在 0 到 1 之间。 |
confidence | anomaly_score 准确性的概率。该数值越接近 1,准确性越高。在运行中的检测器试用期内,由于其接触的数据有限,置信度较低 (< 0.9)。 |
entity | 实体是特定类别字段值的组合。它包括类别字段的名称和值。在前面的示例中,process_name 是类别字段,process_3 等进程是该字段的值。 entity 字段仅在高基数检测器(您已选择类别字段的情况下)中存在。 |
model_id | 识别模型的唯一 ID。如果检测器是单流检测器(没有类别字段),则它只有一个模型。如果检测器是高基数检测器(带有一个或多个类别字段),则它可能具有多个模型,每个实体一个。 |
threshold | 检测器将数据点归类为异常的标准之一是其 anomaly_score 必须超过动态阈值。此字段记录当前阈值。 |
启用插补选项后,异常结果中会包含一个 feature_imputed 数组,显示由于数据缺失而修改了哪些特征。如果没有特征被插补,则此项会被排除。
在以下异常结果输出示例中,processing_bytes_max 特征被插补,如 imputed: true 状态所示
{
"detector_id": "kzcZ43wBgEQAbjDnhzGF",
"schema_version": 5,
"data_start_time": 1635898161367,
"data_end_time": 1635898221367,
"feature_data": [
{
"feature_id": "processing_bytes_max",
"feature_name": "processing bytes max",
"data": 2322
},
{
"feature_id": "processing_bytes_avg",
"feature_name": "processing bytes avg",
"data": 1718.6666666666667
},
{
"feature_id": "processing_bytes_min",
"feature_name": "processing bytes min",
"data": 1375
},
{
"feature_id": "processing_bytes_sum",
"feature_name": "processing bytes sum",
"data": 5156
},
{
"feature_id": "processing_time_max",
"feature_name": "processing time max",
"data": 31198
}
],
"execution_start_time": 1635898231577,
"execution_end_time": 1635898231622,
"anomaly_score": 1.8124904404395776,
"anomaly_grade": 0,
"confidence": 0.9802940756605277,
"entity": [
{
"name": "process_name",
"value": "process_3"
}
],
"model_id": "kzcZ43wBgEQAbjDnhzGF_entity_process_3",
"threshold": 1.2368549346675202,
"feature_imputed": [
{
"feature_id": "processing_bytes_max",
"imputed": true
},
{
"feature_id": "processing_bytes_avg",
"imputed": false
},
{
"feature_id": "processing_bytes_min",
"imputed": false
},
{
"feature_id": "processing_bytes_sum",
"imputed": false
},
{
"feature_id": "processing_time_max",
"imputed": false
}
]
}
检测到异常时,结果将以以下格式提供:
{
"detector_id": "fylE53wBc9MCt6q12tKp",
"schema_version": 0,
"data_start_time": 1635927900000,
"data_end_time": 1635927960000,
"feature_data": [
{
"feature_id": "processing_bytes_max",
"feature_name": "processing bytes max",
"data": 2291
},
{
"feature_id": "processing_bytes_avg",
"feature_name": "processing bytes avg",
"data": 1677.3333333333333
},
{
"feature_id": "processing_bytes_min",
"feature_name": "processing bytes min",
"data": 1054
},
{
"feature_id": "processing_bytes_sum",
"feature_name": "processing bytes sum",
"data": 5032
},
{
"feature_id": "processing_time_max",
"feature_name": "processing time max",
"data": 11422
}
],
"anomaly_score": 1.1986675882872033,
"anomaly_grade": 0.26806225550178464,
"confidence": 0.9607519742565531,
"entity": [
{
"name": "process_name",
"value": "process_3"
}
],
"approx_anomaly_start_time": 1635927900000,
"relevant_attribution": [
{
"feature_id": "processing_bytes_max",
"data": 0.03628638020431366
},
{
"feature_id": "processing_bytes_avg",
"data": 0.03384479053991436
},
{
"feature_id": "processing_bytes_min",
"data": 0.058812549572819096
},
{
"feature_id": "processing_bytes_sum",
"data": 0.10154576265526988
},
{
"feature_id": "processing_time_max",
"data": 0.7695105170276828
}
],
"expected_values": [
{
"likelihood": 1,
"value_list": [
{
"feature_id": "processing_bytes_max",
"data": 2291
},
{
"feature_id": "processing_bytes_avg",
"data": 1677.3333333333333
},
{
"feature_id": "processing_bytes_min",
"data": 1054
},
{
"feature_id": "processing_bytes_sum",
"data": 6062
},
{
"feature_id": "processing_time_max",
"data": 23379
}
]
}
],
"threshold": 1.0993584705913992,
"execution_end_time": 1635898427895,
"execution_start_time": 1635898427803
}
请注意,结果中包含以下附加字段。
| 字段 | 描述 |
|---|---|
relevant_attribution | 表示每个输入变量的贡献。所有归因的总和归一化为 1。 |
expected_values | 每个特征的预期值。 |
检测器可能延迟检测到异常。例如:检测器观察到一组数据,该数据在“慢速周”(由三元组 {1, 2, 3} 表示)和“繁忙周”(由三元组 {2, 4, 5} 表示)之间交替。如果检测器遇到模式 {2, 2, X},其中它尚未看到 X 将取的值,则检测器会推断该模式是异常的。但是,它无法确定哪个 2 是原因。如果 X = 3,则第一个 2 是异常。如果 X = 5,则第二个 2 是异常。如果是第一个 2,则检测器将延迟检测到异常。
当检测器延迟检测到异常时,结果将包含以下附加字段。
| 字段 | 描述 |
|---|---|
past_values | 触发异常的实际输入。如果 past_values 为 null,则归因或预期值来自当前输入。如果 past_values 不为 null,则归因或预期值来自过去的输入(例如,数据的先前两个步骤 [1,2,3])。 |
approx_anomaly_start_time | 触发异常的实际输入的近似时间。此字段可帮助您了解检测器标记异常的时间。单流和高基数检测器都不会查询先前的异常结果,因为这些查询是昂贵的操作。对于可能具有许多实体的高基数检测器来说,成本尤其高。如果数据不连续,则此字段的准确性较低,并且检测器检测到异常的实际时间可能会更早。 |
{
"detector_id": "kzcZ43wBgEQAbjDnhzGF",
"confidence": 0.9746820962328963,
"relevant_attribution": [
{
"feature_id": "deny_max1",
"data": 0.07339452532666227
},
{
"feature_id": "deny_avg",
"data": 0.04934972719948845
},
{
"feature_id": "deny_min",
"data": 0.01803003656061806
},
{
"feature_id": "deny_sum",
"data": 0.14804918212089874
},
{
"feature_id": "accept_max5",
"data": 0.7111765287923325
}
],
"task_id": "9Dck43wBgEQAbjDn4zEe",
"threshold": 1,
"model_id": "kzcZ43wBgEQAbjDnhzGF_entity_app_0",
"schema_version": 5,
"anomaly_score": 1.141419389056506,
"execution_start_time": 1635898427803,
"past_values": [
{
"feature_id": "processing_bytes_max",
"data": 905
},
{
"feature_id": "processing_bytes_avg",
"data": 479
},
{
"feature_id": "processing_bytes_min",
"data": 128
},
{
"feature_id": "processing_bytes_sum",
"data": 1437
},
{
"feature_id": "processing_time_max",
"data": 8440
}
],
"data_end_time": 1635883920000,
"data_start_time": 1635883860000,
"feature_data": [
{
"feature_id": "processing_bytes_max",
"feature_name": "processing bytes max",
"data": 1360
},
{
"feature_id": "processing_bytes_avg",
"feature_name": "processing bytes avg",
"data": 990
},
{
"feature_id": "processing_bytes_min",
"feature_name": "processing bytes min",
"data": 608
},
{
"feature_id": "processing_bytes_sum",
"feature_name": "processing bytes sum",
"data": 2970
},
{
"feature_id": "processing_time_max",
"feature_name": "processing time max",
"data": 9670
}
],
"expected_values": [
{
"likelihood": 1,
"value_list": [
{
"feature_id": "processing_bytes_max",
"data": 905
},
{
"feature_id": "processing_bytes_avg",
"data": 479
},
{
"feature_id": "processing_bytes_min",
"data": 128
},
{
"feature_id": "processing_bytes_sum",
"data": 4847
},
{
"feature_id": "processing_time_max",
"data": 15713
}
]
}
],
"execution_end_time": 1635898427895,
"anomaly_grade": 0.5514172746375128,
"entity": [
{
"name": "process_name",
"value": "process_3"
}
],
"approx_anomaly_start_time": 1635883620000
}
扁平化异常结果映射
在“自定义结果索引”窗格中选择“启用扁平化自定义结果索引”选项时,异常检测插件会将所有嵌套字段扁平化后保存到索引中。
索引中存储的嵌套字段使用以下扁平化规则。
| 字段 | 扁平化规则 | 嵌套输入示例 | 扁平化输出示例 |
|---|---|---|---|
relevant_attribution | relevant_attribution_$FEATURE_NAME_data: $RELEVANT_ATTRIBUTION_FEATURE_DATA | relevant_attribution : [{"feature_id": "deny_max1", "data": 0.07339452532666227}] | relevant_attribution_deny_max1_data: 0.07339452532666227 |
past_values | past_values_$FEATURE_NAME_data: $PAST_VALUES_FEATURE_DATA | "past_values": [{"feature_id": "processing_bytes_max", "data": 905}] | past_values_processing_bytes_max_data: 905 |
feature_data | feature_data_$FEATURE_NAME_data: $FEATURE_DATA_FEATURE_NAME_DATA | "feature_data": [{"feature_id": "processing_bytes_max", "feature_name": "processing bytes max", "data": 1360}] | feature_data_processing_bytes_max_data: 1360 |
expected_values | expected_values_$FEATURE_NAME_data: $EXPECTED_VALUES_FEATURE_DATA | "expected_values": [{"likelihood": 1, "value_list": [{"feature_id": "processing_bytes_max", "data": 905}]}] | expected_values_processing_bytes_max_data: 905 |
entity | entity_$NAME_value: $ENTITY_VALUE | "entity": [{"name": "process_name", "value": "process_3"}] | entity_process_name_value: process_3 |
例如,当检测器延迟检测到异常时,扁平化结果将以以下格式显示:
{
"detector_id": "kzcZ43wBgEQAbjDnhzGF",
"confidence": 0.9746820962328963,
"relevant_attribution": [
{
"feature_id": "deny_max1",
"data": 0.07339452532666227
},
{
"feature_id": "deny_avg",
"data": 0.04934972719948845
},
{
"feature_id": "deny_min",
"data": 0.01803003656061806
},
{
"feature_id": "deny_sum",
"data": 0.14804918212089874
},
{
"feature_id": "accept_max5",
"data": 0.7111765287923325
}
],
"relevant_attribution_deny_max1_data": 0.07339452532666227,
"relevant_attribution_deny_avg_data": 0.04934972719948845,
"relevant_attribution_deny_min_data": 0.01803003656061806,
"relevant_attribution_deny_sum_data": 0.14804918212089874,
"relevant_attribution_deny_max5_data": 0.7111765287923325,
"task_id": "9Dck43wBgEQAbjDn4zEe",
"threshold": 1,
"model_id": "kzcZ43wBgEQAbjDnhzGF_entity_app_0",
"schema_version": 5,
"anomaly_score": 1.141419389056506,
"execution_start_time": 1635898427803,
"past_values": [
{
"feature_id": "processing_bytes_max",
"data": 905
},
{
"feature_id": "processing_bytes_avg",
"data": 479
},
{
"feature_id": "processing_bytes_min",
"data": 128
},
{
"feature_id": "processing_bytes_sum",
"data": 1437
},
{
"feature_id": "processing_time_max",
"data": 8440
}
],
"past_values_processing_bytes_max_data": 905,
"past_values_processing_bytes_avg_data": 479,
"past_values_processing_bytes_min_data": 128,
"past_values_processing_bytes_sum_data": 1437,
"past_values_processing_bytes_max_data": 8440,
"data_end_time": 1635883920000,
"data_start_time": 1635883860000,
"feature_data": [
{
"feature_id": "processing_bytes_max",
"feature_name": "processing bytes max",
"data": 1360
},
{
"feature_id": "processing_bytes_avg",
"feature_name": "processing bytes avg",
"data": 990
},
{
"feature_id": "processing_bytes_min",
"feature_name": "processing bytes min",
"data": 608
},
{
"feature_id": "processing_bytes_sum",
"feature_name": "processing bytes sum",
"data": 2970
},
{
"feature_id": "processing_time_max",
"feature_name": "processing time max",
"data": 9670
}
],
"feature_data_processing_bytes_max_data": 1360,
"feature_data_processing_bytes_avg_data": 990,
"feature_data_processing_bytes_min_data": 608,
"feature_data_processing_bytes_sum_data": 2970,
"feature_data_processing_time_max_data": 9670,
"expected_values": [
{
"likelihood": 1,
"value_list": [
{
"feature_id": "processing_bytes_max",
"data": 905
},
{
"feature_id": "processing_bytes_avg",
"data": 479
},
{
"feature_id": "processing_bytes_min",
"data": 128
},
{
"feature_id": "processing_bytes_sum",
"data": 4847
},
{
"feature_id": "processing_time_max",
"data": 15713
}
]
}
],
"expected_values_processing_bytes_max_data": 905,
"expected_values_processing_bytes_avg_data": 479,
"expected_values_processing_bytes_min_data": 128,
"expected_values_processing_bytes_sum_data": 4847,
"expected_values_processing_time_max_data": 15713,
"execution_end_time": 1635898427895,
"anomaly_grade": 0.5514172746375128,
"entity": [
{
"name": "process_name",
"value": "process_3"
}
],
"entity_process_name_value": "process_3",
"approx_anomaly_start_time": 1635883620000
}