Count in Zero Why ML not consider abnormal

Hi There,

I find the ML cannot detect NoDoc

I have config a ML Detector CountDoc and Does not filter anything

  1. Its Expected Blue , I keep using example data by keep sending HTTP: 200 traffic around 1 second 1 hit
  2. Its also Expected Red i send another volume traffic , which the ML successful detect it is an abnormal
  3. However in Green , i stop all traffic sending to opendistro , the Feature breakdown shows correctly that it have ZERO count , but it does not consider it is an abnormal
    Which i expected it may not have Anomaly grade 1 score , but at least some score

May i known why or where i can tune this ?

Thanks for using the product and asking the question, Vincent !

Since by design, the expected number of anomalies out of all data points is 0.5%. With many anomalies in a short period of time, the detector will likely report the earlier ones to control the number of false positives.

If you let the traffic go back to normal for a period of time and then reduce the traffic to 0, the anomaly is expected to be detected.