I have a use case to detect anomalies in log files of denied remote access. I would create a detector with filter to the according log message and add a feature with “count” aggregation to the client_ip field.
According to the youtube video it is not possible to count terms like ip addresses in features, only numeric values. Ist that still true? I think using the “count” aggregation, which is mapped to the Elasticsearch “value_count” aggregation, it should be possible to count such non-numeric fields.
Thanks for clarification.