Table Of ContentMachine Learning
with the Elastic
Stack
Second Edition
Gain valuable insights from your data with Elastic
Stack's machine learning features
Rich Collier
Camilla Montonen
Bahaaldine Azarmi
BIRMINGHAM—MUMBAI
Machine Learning with the Elastic Stack
Second Edition
Copyright © 2021 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without warranty,
either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors,
will be held liable for any damages caused or alleged to have been caused directly or indirectly by
this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing
cannot guarantee the accuracy of this information.
Group Product Manager: Kunal Parikh
Publishing Product Manager: Devika Battike
Senior Editor: David Sugarman
Content Development Editor: Joseph Sunil
Technical Editor: Devanshi Ayare
Copy Editor: Safis Editing
Project Coordinator: Aparna Nair
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Alishon Mendonca
First published: January 2019
Second published: May 2021
Production reference: 1270521
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80107-003-4
www.packt.com
Contributors
About the authors
Rich Collier is a solutions architect at Elastic. Joining the Elastic team from the Prelert
acquisition, Rich has over 20 years of experience as a solutions architect and pre-sales
systems engineer for software, hardware, and service-based solutions. Rich's technical
specialties include big data analytics, machine learning, anomaly detection, threat
detection, security operations, application performance management, web applications,
and contact center technologies. Rich is based in Boston, Massachusetts.
Camilla Montonen is a senior machine learning engineer at Elastic.
Bahaaldine Azarmi, or Baha for short, is a solutions architect at Elastic. Prior to this
position, Baha co-founded ReachFive, a marketing data platform focused on user
behavior and social analytics. Baha also worked for different software vendors such as
Talend and Oracle, where he held solutions architect and architect positions. Before
Machine Learning with the Elastic Stack, Baha authored books including Learning Kibana
5.0, Scalable Big Data Architecture, and Talend for Big Data. Baha is based in Paris and has
an MSc in computer science from Polytech Paris.
About the reviewers
Apoorva Joshi is currently a security data scientist at Elastic (previously Elasticsearch)
where she works on using machine learning for malware detection on endpoints. Prior
to Elastic, she was a research scientist at FireEye where she applied machine learning to
problems in email security. She has a diverse engineering background with a bachelor's in
electrical engineering and a master's in computer engineering (with a machine learning
focus).
Lijuan Zhong is an experienced Elastic and cloud engineer. She has a master's degree in
information technology and nearly 20 years of working experience in IT and telecom, and
is now working with Elastic's major partner in Sweden: Netnordic. She began her journey
in Elastic in 2019 and became an Elastic certified engineer. She has also completed the
machine learning course by Stanford University. She leads lots of Elastic and machine
learning POC and projects, and customers were extremely satisfied with the outcome. She
has been the co-organizer of the Elastic Stockholm meetup since 2020. She took part in
the Elastic community conference 2021 and gave a talk about machine learning with the
Elastic Stack. She was awarded the Elastic bronze contributor award in 2021.
Table of Contents
Preface
Section 1 – Getting Started with Machine
Learning with Elastic Stack
1
Machine Learning for IT
Overcoming the historical Learning what's normal 10
challenges in IT 4 Probability models 10
Dealing with the plethora of data 4 Learning the models 12
De-trending 14
The advent of automated
Scoring of unusualness 16
anomaly detection 5
The element of time 17
Unsupervised versus
supervised ML 7 Applying supervised ML to data
Using unsupervised ML for frame analytics 17
anomaly detection 8 The process of supervised learning 18
Defining unusual 8
Summary 19
2
Enabling and Operationalization
Technical requirements 21 Understanding
Enabling Elastic ML features 22 operationalization 34
Enabling ML on a self-managed cluster 22 ML nodes 34
Enabling ML in the cloud – Jobs 35
Elasticsearch Service 26 Bucketing data in a time series analysis 36
Feeding data to Elastic ML 38
ii Table of Contents
The supporting indices 39 Anomaly detection model snapshots 42
Anomaly detection orchestration 41
Summary 43
Section 2 – Time Series Analysis – Anomaly
Detection and Forecasting
3
Anomaly Detection
Technical requirements 48 Geographic 74
Elastic ML job types 48 Time 75
Dissecting the detector 50 Splitting analysis along
The function 50 categorical features 75
The field 51 Setting the split field 76
The partition field 51 The difference between splitting using
The by field 51 partition and by_field 78
The over field 51
Understanding temporal versus
The "formula" 52
population analysis 79
Exploring the count functions 53
Categorization analysis of
Other counting functions 67
unstructured messages 83
Detecting changes in metric
Types of messages that are good
values 70
candidates for categorization 84
Metric functions 70 The process used by categorization 85
Analyzing the categories 86
Understanding the advanced
Categorization job example 86
detector functions 72
When to avoid using categorization 92
rare 72
Frequency rare 73 Managing Elastic ML via the API 92
Information content 74 Summary 94
4
Forecasting
Technical requirements 95 Forecasting use cases 97
Contrasting forecasting with Forecasting theory of operation 97
prophesying 96
Table of Contents iii
Single time series forecasting 100 Multiple time series forecasting 121
Looking at forecast results 115 Summary 124
5
Interpreting Results
Technical requirements 126 Multi-bucket scoring 152
Viewing the Elastic ML results
Forecast results 154
index 126
Querying for forecast results 155
Anomaly scores 131
Results API 157
Bucket-level scoring 132
Normalization 134 Results API endpoints 158
Influencer-level scoring 135 Getting the overall buckets API 158
Influencers 137 Getting the categories API 160
Record-level scoring 139
Custom dashboards and
Results index schema details 140 Canvas workpads 161
Bucket results 141 Dashboard "embeddables" 162
Record results 145 Anomalies as annotations in TSVB 164
Influencer results 149 Customizing Canvas workpads 166
Multi-bucket anomalies 150 Summary 169
Multi-bucket anomaly example 151
6
Alerting on ML Analysis
Technical requirements 172 Creating an alert with a watch 193
Understanding alerting Understanding the anatomy of the
concepts 172 legacy default ML watch 193
Custom watches can offer some
Anomalies are not necessarily alerts 172
unique functionality 200
In real-time alerting, timing matters 173
Summary 202
Building alerts from the ML UI 176
Defining sample anomaly detection jobs1 76
Creating alerts against the sample jobs 182
Simulating some real-time anomalous
behavior 188
Receiving and reviewing the alerts 191
iv Table of Contents
7
AIOps and Root Cause Analysis
Technical requirements 204 Leveraging the contextual
Demystifying the term ''AIOps'' 204 information 216
Understanding the importance Analysis splits 217
and limitations of KPIs 206 Statistical influencers 218
Moving beyond KPIs 209 Bringing it all together for RCA 218
Organizing data for better Outage background 219
analysis 211
Correlation and shared influencers 221
Custom queries for anomaly detection
Summary 227
datafeeds 212
Data enrichment on ingest 216
8
Anomaly Detection in Other Elastic Stack Apps
Technical requirements 230 Log anomalies 242
Anomaly detection in Elastic Anomaly detection in the Metrics app 243
APM 230
Anomaly detection in the
Enabling anomaly detection for APM 230 Uptime app 246
Viewing the anomaly detection job
Anomaly detection in the
results in the APM UI 236
Elastic Security app 249
Creating ML Jobs via the data recognizer2 38
Prebuilt anomaly detection jobs 250
Anomaly detection in the Logs Anomaly detection jobs as detection
app 240 alerts 253
Log categories 240
Summary 255
Section 3 – Data Frame Analysis
9
Introducing Data Frame Analytics
Technical requirements 260 Why are transforms useful? 261
Learning how to use transforms 260 The anatomy of a transform 262
Table of Contents v
Using transforms to analyze transform configurations 276
e-commerce orders 262 Introducing Painless 276
Exploring more advanced pivot and
aggregation configurations 267 Working with Python and
Discovering the difference between Elasticsearch 288
batch and continuous transforms 270 A brief tour of the Python Elasticsearch
Analyzing social media feeds using clients 289
continuous transforms 271
Summary 296
Using Painless for advanced
Further reading 297
10
Outlier Detection
Technical requirements 300 practice 308
Discovering the four techniques used Evaluating outlier detection
for outlier detection 301 with the
Understanding feature influence 304 Evaluate API 313
How does outlier detection differ from Hyperparameter tuning for
anomaly detection? 306
outlier detection 320
Applying outlier detection in Summary 323
11
Classification Analysis
Technical requirements 326 Introduction to decision trees 341
Classification: from data to a Gradient boosted decision trees 342
trained model 326
Hyperparameters 342
Feature engineering 331
Interpreting results 345
Evaluating the model 332
Summary 350
Taking your first steps with Further reading 350
classification 333
Classification under the hood:
gradient boosted decision trees 340
