Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

time_of_day function shows incorrect actual value #413

Closed
richcollier opened this issue Feb 22, 2019 · 3 comments
Closed

time_of_day function shows incorrect actual value #413

richcollier opened this issue Feb 22, 2019 · 3 comments
Labels
>bug :ml

Comments

@richcollier
Copy link

Testing the time_of_day function using the attached CSV -
detector: time_of_day partition_field_name=user
bucket_span:1h

Was looking to detect the highlighted event in the 21:00 hour:
image

  "_source": {
    "result": "success",
    "@timestamp": "2014-07-09T03:16:00.000Z",
    " src": "101.101.101.101",
    "destination": "10.4.4.4",
    "action": "login",
    "epoch_time": "1404875760",
    "user": "jones"
  },

Notice: 03:16:00 GMT is 23:15 EST

image

Anomaly surfaced, showing "actual" time of 10:16:

image

Problems:

  1. actual time is 1 hour off (shows 10:16 instead of 11:16)
  2. actual/typical times should be shown in 24-hour format or have AM/PM (I prefer the former)

logins_epoch.csv.txt
@droberts195
Copy link
Contributor

2. actual/typical times should be shown in 24-hour format or have AM/PM (I prefer the former)

@elastic/ml-ui I think this part of the problem is almost certainly in the UI. Please can you check the code in the kibana repo and see if it is currently formatting using a 12 hour clock. If so I agree with @richcollier that a 24 hour clock would be more in keeping with the way ML displays other times.

1. actual time is 1 hour off (shows 10:16 instead of 11:16)

This part of the problem might also be a UI problem. The anomaly output by the backend code is in terms of seconds since the beginning of the UTC day. I assume the UI is translating this to the Kibana timezone. But if it is being translated to the Kibana timezone based on today's date then it could be using the wrong daylight saving adjustment. In this bug report that would make sense: 03:16 UTC is 10:16 EST at this time of year. But in July (when the anomaly occurred) 03:16 UTC is 11:16 EDT. If this sounds plausible I think what we should do is to take the date from the anomaly timestamp and the time from the actual or typical, convert that combination to a local timestamp, then drop the date to leave just a local time. Even this could go wrong if the anomaly occurs very close to a daylight savings switchover, but it will be better than what we have now for about 7 months of the year.

@dimitris-athanasiou
Copy link
Contributor

dimitris-athanasiou commented Feb 25, 2019
edited by droberts195
Loading

The backend outputs the actual value of time_of_day anomaly records to be the day offset in seconds (UTC). Thus, I would imagine the UI has code the formats that value and that probably that code ignores timezone changes? @elastic/ml-ui

@peteharverson peteharverson mentioned this issue Feb 26, 2019
Closed
@peteharverson
Copy link

Closing issue here as the bug in how the actual and typical values are formatted in the UI - see elastic/kibana#32023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :ml
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peteharverson @droberts195 @richcollier @dimitris-athanasiou