Skip to main content

Job types

Anomaly detection job types

Anomaly detection jobs have many possible configuration options which enable you to fine-tune the jobs and cover your use case as much as possible. This page provides a quick overview of different types of anomaly detection jobs and their capabilities. The job types available in Kibana are:

  • single metric jobs
  • multi-metric jobs

Single metric jobs

Every anomaly detection job has at least one detector. A detector defines the type of analysis that occurs (for example, using max, average, or high functions) and the field in your data that is analyzed. Single metric jobs have exactly one detector. These jobs are best for detecting anomalies in one aspect of your time series data. For example, you can monitor the request rate in your log data with the low_count function to find unusually low request rates that might be a sign of an error. Refer to the Function reference to learn more about the available functions.

Multi-metric jobs

Multi-metric jobs can have more than one detector configured and optionally split the analysis by a field. Conceptually, multi-metric jobs can be considered as multiple independent single metric jobs. Binding the jobs together into a multi-metric job has the advantage of an overall anomaly score (instead of an independent anomaly score for each job) and influencers that apply to all metrics in the job. Multi-metrics jobs provide better results when the influencers are shared across the detectors.

Splitting the analysis by a field enables you to model each value of that field independently. For example, you can split the analysis of your log data set by the host field which results in independent baselines for each host (each value of the host field) in your data set. If you have a count function that detects anomalies in the error_code field, and your data is split by the host field, then the unusual number of events in the error_code field is reported in the context of each host independently. In this case, an observed anomaly in one host does not affect the baseline of another host.

Multi-metric jobs are recommended for complex use cases where you want to detect anomalous behavior in multiple aspects of your data or analyze the data in the context of distinct values of a field.