[Infrastructure UI] Anomaly Detection job for network doesn't consider `system.network.name` · elastic/kibana#221133

(3 comments) (0 reactions) (0 assignees)TypeScript (19,065 stars) (8,021 forks)batch import

Feature:ObsHostsTeam:obs-presentationbuggood first issue

Description

Describe the bug:

The anomaly detection job for Hosts includes 2 jobs for network traffic (RX & TX), the aggregation is doing a derivative on system.network.in.bytes and system.network.out.bytes but it's not considering that those counters are unique per system.network.name. The data for this is inaccurate, if you have 2+ network interfaces, it will use the highest counter instead of combining the counters.

Potential Fix:

Under the data_histogram, add a terms aggregation for system.network.name with a max sub aggregation on system.network.in.bytes. Use a sum_bucket pipeline aggregation to add the max values together then take the derivative.

Working Example:

Here is a working example that you can use in the Dev Console with Metricbeat data.

POST metrics-*/_search
{
  "size": "0",
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-15m",
              "lte": "now"
            }
          }
        }
      ]
    }
  },
  "aggregations": {
    "host.name": {
      "terms": {
        "field": "host.name"
      },
      "aggregations": {
        "host.name": {
          "terms": {
            "field": "host.name",
            "size": 100
          },
          "aggregations": {
            "buckets": {
              "date_histogram": {
                "field": "@timestamp",
                "fixed_interval": "5m"
              },
              "aggregations": {
                "@timestamp": {
                  "max": {
                    "field": "@timestamp"
                  }
                },
                "interfaces": {
                  "terms": {
                    "field": "system.network.name",
                    "size": 20
                  },
                  "aggregations": {
                    "max_bytes": {
                      "max": {
                        "field": "system.network.in.bytes"
                      }
                    }
                  }
                },
                "total_max_bytes": {
                  "sum_bucket": {
                    "buckets_path": "interfaces>max_bytes"
                  }
                },
                "bytes_in_derivative": {
                  "derivative": {
                    "buckets_path": "total_max_bytes"
                  }
                },
                "positive_only": {
                  "bucket_script": {
                    "buckets_path": {
                      "in_derivative": "bytes_in_derivative.value"
                    },
                    "script": "params.in_derivative > 0.0 ? params.in_derivative : 0.0"
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Contributor guide

Tech stack: typescript
Domain: backenddataperformance
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: clear
Prerequisites: Understanding of Elasticsearch aggregation pipelinesFamiliarity with anomaly detection jobs in Kibana
Newbie friendliness: 55
Research direction: The issue describes a bug in the anomaly detection job for network traffic. The fix involves modifying the aggregation to include a terms aggregation on `system.network.name` and a sum bucket pipeline aggregation. Look in the Kibana codebase for the anomaly detection job definitions, likely in files related to infrastructure monitoring. The provided working Elasticsearch query can be used as a reference to update the job's aggregation logic.