I am trying to use the machine learning toolkit assistant for detecting numerical outliers in transaction response time for multiple targets. I want to treat data set for each target over a period of time separately and apply the algorithm to each set.
I am using this query in the assistant:
index=dc10 sourcetype=ML |timechart useother=f limit=20 span=10m values(resptime) by name
I expect to use the "resptime" field to analyze and split by the "name" field. However this is not working as I expected it to. I am getting the values for "name" in the "Field to analyze" drop down.
I can use it against a single target (name) and it works fine. Is there a way to apply the algorithm in a way that I need? I don't want to write separate queries to create a model for each of the targets.
hmm i understand what you mean, The outlier model will analyse only one field at a time to detect outliers.
Now, here is what you can try -
Try running the the model THROUGH the ML app in search , there is an 'open in search' link in the outlier model.
This will give you the query.
Now save it as a dashboard and add a filter input where you add something like |name as your drop down token.
This will allow user to choose the needed name through a dropdown.
Now, pass the token to your model (the search query) where it can pick the name based on the token selected by the user, your model now works dynamically based on the name token selection