Configure alerts of excessive CPU utilization in purposes utilizing Amazon OpenSearch Service anomaly detection: Half 1
Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) is a completely managed service that makes it straightforward to deploy, safe, and run Elasticsearch cost-effectively at scale. Amazon OpenSearch Service helps many use circumstances, together with utility monitoring, search, safety data and occasion administration (SIEM), and infrastructure monitoring. Amazon OpenSearch Service additionally affords a wealthy set of functionalities reminiscent of UltraWarm, fine-grained entry management, alerting, and anomaly detection.
On this two-part put up, we present you find out how to use anomaly detection in Amazon OpenSearch Service and configure alerts for top CPU utilization in purposes. In Half 1, we focus on find out how to arrange your anomaly detector.
Anomaly detection in Amazon OpenSearch Service routinely detects anomalies in your Amazon OpenSearch Service knowledge in near-real time by utilizing the Random Reduce Forest (RCF) algorithm. The RCF algorithm computes an anomaly grade and confidence rating worth for every incoming knowledge level. Anomaly detection makes use of these values to distinguish an anomaly from regular variations in your knowledge.
The next screenshot exhibits a pattern anomaly historical past dashboard on the Amazon OpenSearch Service console.
You’ll be able to configure anomaly detectors through the Amazon OpenSearch Service Kibana dashboard or API. The important thing parts for creating an anomaly detector are detector creation and mannequin configuration. Within the following steps, we create an anomaly detector for utility log information with CPU utilization knowledge.
Create a detector
Step one in creating an anomaly detection resolution is making a detector. A detector is a person anomaly detection activity. You’ll be able to have multiple detector, and so they all can run concurrently. To create your detector, full the next steps:
- On the Anomaly detection dashboard inside your Kibana dashboard, select Detectors.
- Select Create detector.
- For Title, enter a novel identify on your detector.
- For Description, enter an elective description.
- For Index, select an index the place you need to determine the anomaly.
- For Timestamp discipline, select the timestamp discipline out of your index.
Optionally, you possibly can add a knowledge filter. This knowledge filter helps you analyze solely a subset of your knowledge supply and cut back the noisy knowledge.
Alternatively, select Customized expression and add in your individual filter question.
- Set the detector operation settings:
- Detector interval – This defines the time interval for the detector to gather the info. Throughout this time, the detector aggregates the info, then feeds the aggregated outcomes into the anomaly detection mannequin. The variety of knowledge factors is dependent upon the interval worth. A shorter interval time ends in a smaller pattern measurement. We suggest setting the interval primarily based on precise knowledge. Too lengthy of an interval would possibly delay the outcomes, and too quick would possibly miss some knowledge factors.
- Window delay – This provides additional processing time to make sure that all knowledge throughout the window is current.
Configure the mannequin
As a way to run the anomaly detection mannequin, you will need to configure sure mannequin parameters. One key parameter is characteristic choice. A characteristic is a discipline within the index that’s monitored for anomalies utilizing completely different aggregation strategies. You’ll be able to apply anomaly detection to multiple characteristic for the index specified within the detector’s knowledge supply. After you create the detector, it is advisable to configure the mannequin with the best options to allow anomaly detection.
- On the anomaly detection dashboard, underneath the detector identify, select Configure mannequin.
- On the Edit mannequin configuration web page, for Characteristic identify, enter a reputation.
- For Characteristic state, choose Allow characteristic.
- For Discover anomalies primarily based on, select Discipline worth.
- For Aggregation methodology, select your acceptable aggregation methodology.
For instance, for those who select common(), the detector finds anomalies primarily based on the typical values of your characteristic. For this put up, we select sum().
As of this writing, Amazon OpenSearch Service helps the class discipline for top cardinality. You need to use the class discipline for key phrase or IP discipline sort. The class discipline categorizes or slices the supply time sequence with a dimension like IP addresses, product SKUs, zip codes, and so forth. This supplies a granular view of anomalies inside every entity of the class discipline, that can assist you isolate and debug points. For instance, the CPU utilization proportion doesn’t assist determine the precise occasion inflicting the difficulty. However by utilizing the host IP categorical worth, chances are you’ll capable of finding the precise host inflicting the anomaly.
- Within the Class discipline, choose Allow class discipline.
- For Discipline, select your discipline.
- Within the Superior Settings part, for Window measurement, set the variety of intervals to contemplate in a detection window.
We suggest selecting the window measurement worth primarily based on the precise knowledge. When you count on lacking values in your knowledge or in order for you the anomalies primarily based on the present interval, select 1. In case your knowledge is constantly ingested and also you need the anomalies primarily based on a number of intervals, select a bigger window measurement.
Within the Pattern anomaly historical past part, you possibly can see a preview of the anomalies.
- Select Save and begin detector.
- Within the pop-up window, choose when to start out the detector (routinely or manually).
- Select Affirm.
This put up defined the completely different steps required to create an anomaly detector with Amazon OpenSearch Service. You need to use anomaly detection for a lot of use circumstances, together with discovering anomalies in entry logs from completely different companies, utilizing clickstream knowledge, utilizing IP deal with knowledge, and extra.
Amazon OpenSearch Service anomaly detection is obtainable on domains operating any OpenSearch model or Elasticsearch 7.4 or later. All occasion sorts help anomaly detection, aside from t2.micro and t2.small.
Within the subsequent a part of this put up, we cowl find out how to arrange an alert for these anomalies utilizing the Amazon OpenSearch Service alerting characteristic.
Concerning the Authors
Jey Vell is a Senior Options Architect with AWS, primarily based in Austin TX. Jey focuses on Analytics and ML/AI. Jey works carefully with Amazon OpenSearch Service group, offering structure steering and technical help to the AWS clients with their search workloads. He brings to his function over 20 years of know-how expertise in software program improvement and structure, and IT administration.
Jon Handler is a Senior Principal Options Architect, specializing in AWS search applied sciences – Amazon CloudSearch, and Amazon OpenSearch Service. Primarily based in Palo Alto, he helps a broad vary of consumers get their search and log analytics workloads deployed proper and functioning effectively.