Anomaly Detection DSL errors

adrian · December 21, 2021, 12:56am

I am trying to set up some anomaly detections. I have an index that has field http.response.status_code. This is a long and contains the HTTP status code.

I am trying to create a detector that will search my index, however, I am failing to achieve this

If I go to Dev Tools, I am able to search my index. I have tried a few different ways

{
  "query": {
    "range": {
      "http.response.status_code": {
        "gte": 400,
        "lt": 500
      }
    }
  }
}

and

{
  "query": {
    "terms": {
      "http.response.status_code": [
        "400",
        "401",
        "200"
      ]
    }
  }
}

These all return documents, but when I use the same code under custom expression in AD I get an query error
Custom query error: [1:1309] [terms] unknown field [http.response.status_code]

The end goal is that I am trying to set up a detector that will detect an increase in 4XX and 5XX which is in field http.response.status_code

Any suggestions?

adrian · December 21, 2021, 3:31am

Think I worked it out. I was adding the filtering in the one wrong place.

When setting up the Data Source, you can add a Data filter, this is where you can add filters based on status codes.
I created 2 ADs. One with the Data filter looking for 4XX and another looking 5XX.

Hopefully, this will help someone else.

Topic		Replies	Views
Opensearch Anomaly Detector Custom Expressions OpenSearch Dashboards anomaly-detection	7	140	April 3, 2024
Anomaly detection using filter in custom expression Machine Learning	1	622	August 25, 2021
Anomaly detector custom query Machine Learning	1	627	November 29, 2021
Creating Detectors Reporting Plugin	0	263	December 7, 2022
Anomaly detection fails with Document contains at least one immense term in field="model.normalized_keyword" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped Machine Learning	1	820	October 13, 2021

Anomaly Detection DSL errors

Related Topics