Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Configuring Anomaly Detector #162

Open
jmurillo9 opened this issue Mar 1, 2024 · 4 comments
Open

[BUG] Configuring Anomaly Detector #162

jmurillo9 opened this issue Mar 1, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@jmurillo9
Copy link

What is the bug?

I am trying to configure an anomaly detector using the latest provider version ( v2.2.0). When I am defining a feature, I can only seem to get my code to work using aggregation_query which results in a custom expression to show up in the UI.
Screenshot 2024-02-29 at 11 06 13 PM

Screenshot 2024-02-29 at 11 13 12 PM

but... when I create a feature manually, I can have the feature show up like so:
Screenshot 2024-02-29 at 11 07 44 PM

I have been trying various variations of utilizing:

  "feature_attributes": [
      {
         "feature_name": "count_client_ip",
         "feature_enabled": true,
         "aggregation_query": {
            "count_client_ip": {
               "value_count": {
               "field": "client_ip.keyword"
               }
            }
         }
      }
  ],
  
 OR
   "feature_attributes": [
      {
         "feature_name": "count_client_ip",
         "feature_enabled": true,
         "aggregation_method": "value_count",
         "field": "client_ip"
      }
  ],
  
  etc...

How can one reproduce the bug?

reference Terraform docs regarding the resource in question, copy example snippet and try to deploy.

What is the expected behavior?

The features show up the same in the UI. There seems to be two distinct options to pick from when doing this manually.
Screenshot 2024-02-29 at 11 11 19 PM
Screenshot 2024-02-29 at 11 11 09 PM

What is your host/environment?

OpenSearch_2.9
terraform v1.2.2

Do you have any additional context?

  • If the two variations are interchangeable, then can someone please provide a working query that I can use that would be the same as what works when doing this manually.

  • If someone can provide an example of how to properly add categorical_fields as well, that would be greatly appreciated. I cannot seem to get that to work (again because the resource is expecting aggregation_query. I tried doing:

        "aggregation_query": {
            "category_field_1": {
               "terms": {
                  "field": "category_field_1.keyword"
               }
            }
        }
@jmurillo9 jmurillo9 added bug Something isn't working untriaged labels Mar 1, 2024
@prudhvigodithi
Copy link
Member

[Triage]
Hey @jmurillo9 thanks for opening the issue, do you see this bug when using provider or also noticed when also using OpenSearch API ? You mentioned manually works from dashboard, can you please share your tf file or query etc, for us to re produce ?
Adding @rblcoder @bbarani
Thanks

@jmurillo9
Copy link
Author

jmurillo9 commented Apr 2, 2024
edited
Loading

Hello @prudhvigodithi - I personally haven't tried using the OpenSearch API. I just noticed a difference in what shows up in the UI when you point and click versus when you use the Terraform provider ( v2.2.0). The visual comparison was just throwing me off at first.

terraform {
   required_providers {
      opensearch = {
        source = "opensearch-project/opensearch"
        version = "2.2.0"
      }
   }
}

Complete Terraform code from the snippet I posted above:

resource "opensearch_anomaly_detection" "this" {
  body = <<EOF
{
  "name": "my-awesome-detector",
  "description": "An anomaly detector for ingress logs created via Terraform.",
  "time_field": "@timestamp",
  "result_index" : "opensearch-ad-plugin-result-my-awesome-detector",
  "indices": [
    "*ingress*"
  ],
  "feature_attributes": [
      {
         "feature_name": "count_client_ip",
         "feature_enabled": true,
         "aggregation_query": {
            "count_client_ip": {
               "value_count": {
               "field": "client_ip.keyword"
               }
            }
         }
      }
  ],
  "filter_query": {
      "bool": {
      "filter": [
         {
            "range": {
               "value": {
                  "gt": 1
               }
            }
         }
      ],
      "adjust_pure_negative": true,
      "boost": 1
      }
  },
   "detection_interval": {
      "period": {
         "interval": 10,
         "unit": "Minutes"
      }
   },
   "window_delay": {
      "period": {
         "interval": 1,
         "unit": "Minutes"
      }
   }
}
EOF
}

@rblcoder
Copy link
Collaborator

rblcoder commented Apr 3, 2024

@jmurillo9 Creating an anomaly detector using

terraform {
  required_providers {
    opensearch = {
      source = "opensearch-project/opensearch"
      version = "2.2.1"
    }
  }
}

provider "opensearch" {
  url = "url"
  healthcheck        = "false"
  aws_region          = "region"
  version_ping_timeout = "10"
  sign_aws_requests = "false"
  username          = "username"
  password          = "password"
}


resource "opensearch_anomaly_detection" "test-detector12" {
body       = <<EOF
{

    "name": "sample-http-responses-detector2",
    "description": "A sample detector to detect anomalies with HTTP response code logs.",
    "time_field": "timestamp",
    "indices": [
      "sample-http-responses"
    ],
    "filter_query": {
      "match_all": {
        "boost": 1
      }
    },
    "detection_interval": {
      "period": {
        "interval": 10,
        "unit": "Minutes"
      }
    },
    "window_delay": {
      "period": {
        "interval": 1,
        "unit": "Minutes"
      }
    },
    "shingle_size": 8,
    "schema_version": 0,
    "feature_attributes": [
      {
        "feature_id": "8Z6-oo4BhbT1HUOvhfMe",
        "feature_name": "sum_http_4xx",
        "feature_enabled": true,
        "aggregation_query": {
          "sum_http_4xx": {
            "sum": {
              "field": "http_4xx"
            }
          }
        }
      },
      {
        "feature_id": "8p6-oo4BhbT1HUOvhfMl",
        "feature_name": "sum_http_5xx",
        "feature_enabled": true,
        "aggregation_query": {
          "sum_http_5xx": {
            "sum": {
              "field": "http_5xx"
            }
          }
        }
      }
    ],
    "ui_metadata": {
      "features": {
        "sum_http_5xx": {
          "aggregationBy": "sum",
          "aggregationOf": "http_5xx",
          "featureType": "simple_aggs"
        },
        "sum_http_4xx": {
          "aggregationBy": "sum",
          "aggregationOf": "http_4xx",
          "featureType": "simple_aggs"
        }
      },
      "filters": []
    },
    "last_update_time": 1712127380464,
    "user": {
      "name": "ce80y7khowl5",
      "backend_roles": [],
      "roles": [
        "security_manager",
        "all_access"
      ],
      "custom_attribute_names": [],
      "user_requested_tenant": null
    },
    "detector_type": "SINGLE_ENTITY"

}
EOF
}

when I check the configuration in OpenSearch Dashboard
anomaly_detection_config_ui

@jmurillo9
Copy link
Author

I'll have to give this a try. Thanks @rblcoder !

@getsaurabh02 getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Engineering Effectiveness Board Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Engineering Effectiveness Board
Status: 📦 Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmurillo9 @prudhvigodithi @rblcoder