From eb805deb46aa220c1e06bb2762d3a337f57793ea Mon Sep 17 00:00:00 2001 From: David Roberts Date: Thu, 25 Jan 2024 13:43:04 +0000 Subject: [PATCH] Update docs/reference/ml/anomaly-detection/ml-delayed-data-detection.asciidoc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: István Zoltán Szabó --- .../ml-delayed-data-detection.asciidoc | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/docs/reference/ml/anomaly-detection/ml-delayed-data-detection.asciidoc b/docs/reference/ml/anomaly-detection/ml-delayed-data-detection.asciidoc index 32dfc14bf60c4..429be56031028 100644 --- a/docs/reference/ml/anomaly-detection/ml-delayed-data-detection.asciidoc +++ b/docs/reference/ml/anomaly-detection/ml-delayed-data-detection.asciidoc @@ -52,16 +52,21 @@ for the periods where these delays occur: [role="screenshot"] image::images/ml-annotations.png["Delayed data annotations in the Single Metric Viewer"] -IMPORTANT: Because we are comparing `doc_count` from an aggregation with the -job's bucket results, the delayed data check will not work correctly if the -job's datafeed is using aggregations and its `analysis_config` does not have -its `summary_count_field_name` set to `doc_count`, or if your job is _not_ -using aggregations and `summary_count_field_name` is set to anything. If your -job's datafeed is using aggregations then it's highly likely that your -`summary_count_field_name` should be `doc_count`. If `summary_count_field_name` -is set at all, and is _not_ set to `doc_count`, then you must disable the -delayed data check for that job. +[IMPORTANT] +==== +As the `doc_count` from an aggregation is compared with the +bucket results of the job, the delayed data check will not work correctly in the +following cases: +* if the datafeed uses aggregations and its `analysis_config` does not have its +`summary_count_field_name` set to `doc_count`, +* if your job is _not_ using aggregations and `summary_count_field_name` is set to +any value. +If the datafeed is using aggregations then it's highly likely that the +`summary_count_field_name` should be set to `doc_count`. If +`summary_count_field_name` is set to any value other than `doc_count`, the +delayed data check for that job must be disabled. +==== There is another tool for visualizing the delayed data on the *Annotations* tab in the {anomaly-detect} job management page: