|
| 1 | +[role="xpack"] |
| 2 | +[[ml-rules]] |
| 3 | +=== Machine learning rules and filters |
| 4 | +++++ |
| 5 | +<titleabbrev>Rules and filters</titleabbrev> |
| 6 | +++++ |
| 7 | + |
| 8 | +By default, as described in <<ml-analyzing>>, anomaly detection is unsupervised |
| 9 | +and the {ml} models have no awareness of the domain of your data. As a result, |
| 10 | +{ml} jobs might identify events that are statistically significant but are |
| 11 | +uninteresting when you know the larger context. Machine learning rules enable |
| 12 | +you to customize anomaly detection. |
| 13 | + |
| 14 | +_Rules_ instruct anomaly detectors to change their behavior based on |
| 15 | +domain-specific knowledge that you provide. When you create a rule, you can |
| 16 | +specify conditions, scope, and actions. When the conditions of a rule are |
| 17 | +satisfied, its actions are triggered. |
| 18 | + |
| 19 | +For example, if you have an anomaly detector that is analyzing CPU usage, you |
| 20 | +might decide you are only interested in anomalies where the CPU usage is greater |
| 21 | +than a certain threshold. You can define a rule with conditions and actions that |
| 22 | +instruct the detector to refrain from generating {ml} results when there are |
| 23 | +anomalous events related to low CPU usage. You might also decide to add a scope |
| 24 | +for the rule, such that it applies only to certain machines. The scope is |
| 25 | +defined by using {ml} filters. |
| 26 | + |
| 27 | +_Filters_ contain a list of values that you can use to include or exclude events |
| 28 | +from the {ml} analysis. You can use the same filter in multiple jobs. |
| 29 | + |
| 30 | +If you are analyzing web traffic, you might create a filter that contains a list |
| 31 | +of IP addresses. For example, maybe they are IP addresses that you trust to |
| 32 | +upload data to your website or to send large amounts of data from behind your |
| 33 | +firewall. You can define the scope of a rule such that it triggers only when a |
| 34 | +specific field in your data matches one of the values in the filter. |
| 35 | +Alternatively, you can make it trigger only when the field value does not match |
| 36 | +one of the filter values. You therefore have much greater control over which |
| 37 | +anomalous events affect the {ml} model and appear in the {ml} results. |
| 38 | + |
| 39 | +//TO-DO: Add link to more information about defining rules. |
0 commit comments