Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Logs Overview] Refine change types #197261

Open
weltenwort opened this issue Oct 22, 2024 · 1 comment
Open

[Logs Overview] Refine change types #197261

weltenwort opened this issue Oct 22, 2024 · 1 comment
Labels
Team:obs-ux-logs Observability Logs User Experience Team

Comments

@weltenwort
Copy link
Member

weltenwort commented Oct 22, 2024
edited
Loading

📓 Summary

The change types currently shown in the log categories data grid are more or less passed through from the change_point aggregation. These types are sometimes hard to interpret as a human or an LLM. Additionally, they are sensitive to small variations in the distribution of the histogram when the document count is low, which leads to confusing flapping between types like spike and step.

✔️ Acceptance criteria

  • The changes detected by the Elasticsearch aggregation are post-processed into more useful change types:
    • rare: present in fewer than 1/5th of the buckets
      • from stationary by counting buckets
    • new: a detected change point before which all buckets are empty, but after which less than 1/2 of the buckets are empty
      • from step_change, distribution_change, trend_change by counting buckets of the two parts of the histogram
    • disappeared: a detected change point before which less than 1/2 of the buckets are empty, but after which all buckets are empty
      • from step_change, distribution_change, trend_change by counting buckets of the two parts of the histogram
    • decreased: a detected change point before which the average doc count per bucket was larger than after
      • from step_change, distribution_change, trend_change by counting buckets of the two parts of the histogram
      • from non_stationary with a decreasing trend value
    • increased: a detected change point after which the average doc count per bucket was larger than before
      • from step_change, distribution_change, trend_change by counting buckets of the two parts of the histogram
      • from non_stationary with an increasing trend value
    • spike/dip remain as before
    • none: no change was detected
    • unknown: Elasticsearch returned a change type we don't know how to handle (i.e. due to it being a newer version)
  • The new change types are more stable with low document counts.

💡 Implementation hints

  • in most cases the first and last bucket of the histogram should probably be ignored, because they might show boundary effects

Known change types and their attributes as returned by Elasticsearch

type has time has p-value other attributes
indeterminable reason
stationary
step_change
distribution_change
non_stationary rValue, trend
trend_change rValue
spike
dip

Change point detection algorithm of the change_point aggregation

Image
@weltenwort weltenwort added the Team:obs-ux-logs Observability Logs User Experience Team label Oct 22, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:obs-ux-logs Observability Logs User Experience Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weltenwort @elasticmachine