[ML] Adds ML modules for Metrics UI Integration

[blaklaybul]

Summary

Adds the files for a new metrics_ui_hosts and metrics_ui_k8s modules for use within the Metrics app, containing the job and datafeed configuration files that support the analyses designed for the metrics integration.

For each modules, this PR contains:

• module manifest.json containing a query that uniquely defines when the module should appear in the ML app.
• ML Job configurations for 4 jobs:
  • {hosts||k8s}_cpu_usage
  • {hosts||k8s}_memory_usage
  • {hosts||k8s}_network_in
  • {hosts||k8s}_network_out
• Datafeed configurations to accompany the jobs.
• Logo

To Do:

• provide job and module descriptions, finalize titles

[phillipb]

Noticed that the host jobs have an id prefixed with hosts, but the k8s jobs don't. Should we be consistent here? Not sure we actually need the prefix.

[blaklaybul]

i've included the k8s prefix on the kubernetes jobs, as we'll want to distinguish between them in ML job management.

[blaklaybul]

Custom URLs have been added for all jobs. The app/ prefix has been left off, so they will not work as is. We're awaiting a PR from @peteharverson that will include metrics in our isKibanaUrl check for custom URLs. Also, to accommodate the new URLs, kubernetes.pod.name has been replaced by kubernetes.pod.id in the terms aggs in datafeed_k8s_network_in.json and datafeed_k8s_network_out.json. This ensures that these field values are passed to the datafeed and can therefore be used as influencers in the URL creation.

[lcawl]

Suggested change

	"description": "Detect anomalous memory, cpu, and network behavior on hosts.",
	"description": "Detect anomalous memory, CPU, and network behavior on hosts.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Metrics: Hosts - Identify unusual spikes in cpu utilization across hosts.",
	"description": "Metrics: Hosts - Identify unusual spikes in CPU utilization across hosts.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Detect anomalous memory, cpu, and network behavior on kubernetes pods.",
	"description": "Detect anomalous memory, CPU, and network behavior on Kubernetes pods.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Metrics: Kubernetes - Identify unusual spikes in cpu utilization across kubernetes pods.",
	"description": "Metrics: Kubernetes - Identify unusual spikes in CPU utilization across Kubernetes pods.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Metrics: Kubernetes - Identify unusual spikes in memory usage across kubernetes pods.",
	"description": "Metrics: Kubernetes - Identify unusual spikes in memory usage across Kubernetes pods.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Metrics: Kubernetes - Identify unusual spikes in inbound traffic across kubernetes pods.",
	"description": "Metrics: Kubernetes - Identify unusual spikes in inbound traffic across Kubernetes pods.",

[blaklaybul]

updated - thanks!

[lcawl]

Suggested change

	"description": "Metrics: Kubernetes - Identify unusual spikes in outbound traffic across kubernetes pods.",
	"description": "Metrics: Kubernetes - Identify unusual spikes in outbound traffic across Kubernetes pods.",

[blaklaybul]

updated - thanks!

[blaklaybul]

@phillipb I wanted to lay out how you will need to override the job and datafeed configs based on the partition fields provided by the user (using cloud.project.id in the following examples). The flow will be slightly different for the hosts and k8s modules:

metrics-ui-hosts

job configurations

The analysis_config object in each job configuration will need to include "partition_field_name": "cloud.project.id" and cloud.project.id will need to be added to the list of influencers. So, for example, for the job hosts_network_in, the analysis_config will need appear as follows:

"analysis_config": {
      "bucket_span": "15m",
      "detectors": [
        {
          "detector_description": "max(bytes_in_derivative)",
          "function": "max",
          "field_name": "bytes_in_derivative",
          "parition_field_name": "cloud.project.id"
        }
      ],
      "influencers": [
        "host.name",
        "cloud.project.id"
        ],
      "summary_count_field_name": "doc_count"
    }

datafeed configurations

For the metrics-ui-hosts module, all datafeeds with the exception of datafeed_hosts_memory_usage use aggregations - for these, we will need to wrap the existing aggregation in a terms agg on the user-supplied partition field. This terms agg must have a name matching the user-supplied field. Using datafeed_hosts_network_in as an example, the aggregations object will need to appear as such:

{
    "aggregations": {
        "cloud.project.id": {
            "terms": {
                "field": "cloud.project.id"
            },
            "aggregations": {
                "host.name": {"terms": {"field": "host.name"},
                    "aggregations": {
                        "buckets": {
                            "date_histogram": {"field": "@timestamp","fixed_interval": "5m"},
                            "aggregations": {
                                "@timestamp": {"max": {"field": "@timestamp"}},
                                "bytes_in_max": {"max": {"field": "system.network.in.bytes"}},
                                "bytes_in_derivative": {"derivative": {"buckets_path": "bytes_in_max"}},
                                "positive_only":{
                                    "bucket_script": {
                                        "buckets_path": {"in_derivative": "bytes_in_derivative.value"},
                                        "script": "params.in_derivative > 0.0 ? params.in_derivative : 0.0"
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

metrics-ui-k8s

job configurations

Since the metrics-ui-k8s module is shipping with a default partition field - kubernetes.namespace - the detectors in analysis_config already contain "partition_field_name": "kubernetes.namespace". If the user chooses to override the default, all you will need to do is replace kubernetes.namespace with the user supplied field in the detector and in the influencer list.

datafeed configurations

Only datafeed_k8s_network_in and datafeed_k8s_network_out contains aggregations in the metrics-ui-k8s module. Since we are supplying a default partition field, the outer aggregations are already in the configs. So for these datafeeds, all you will need to do is replace kubernetes.namespace with the user-supplied field name in the outer aggregation in 2 places - the name of the agg and the "field" value.

[elasticmachine]

Pinging @elastic/ml-ui (:ml)

[peteharverson]

Worth noting here for reference, that there is an open issue that we currently do not support the plot of metric data in the Anomaly Explorer or Single Metric Viewer charts for detectors which use a derivative aggregation on a scripted field - #18464. This is because of the difficulties of reverse engineering the datafeed config aggregations back to a search to run on the source data to obtain the metric data for plotting in the charts. Currently the charts just display blank.

This will affect the four inbound / outbound traffic jobs.

Similarly, the hosts CPU usage job uses a bucket_script for the CPU metric in the datafeed, so again, the metric data in the anomaly charts will be blank.

[peteharverson]

Tested these two modules with the metrics-ui-full data set and overall it looks good. A couple of questions about descriptions for detectors, plus whether we want to remove the query section from the hosts module before merging.

[peteharverson]

If the jobs in this module provide no value without the specific overrides we are expecting from the Metrics UI, then removing this query block is the way to hide it from the ML job wizards.

[blaklaybul]

the query and defaultIndexPattern fields have been removed, as we do in the logs integration modules.

[blaklaybul]

As per @sorantis 's request, the CPU jobs have been removed from both modules.

[blaklaybul]

@elasticmachine merge upstream

[peteharverson]

Latest edits LGTM

[lcawl]

Descriptions LGTM

[blaklaybul]

@elasticmachine merge upstream

[peteharverson]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: a4bb4fe

Build metrics

distributable file count

id	value	diff	baseline
default	45934	+16	45918

History

• 💚 Build #75102 succeeded a4bb4fe
• 💔 Build #74977 failed 9377511
• 💔 Build #74838 failed 5f01331
• 💚 Build #74856 succeeded 77532b0
• 💔 Build #74659 failed 1288b8f

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream