Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ML] Recognize modules takes a long time to return results #116696

Closed
qn895 opened this issue Oct 28, 2021 · 3 comments
Closed

[ML] Recognize modules takes a long time to return results #116696

qn895 opened this issue Oct 28, 2021 · 3 comments
Assignees
@peteharverson
Labels
bug Fixes for quality problems that affect the customer experience Feature:Anomaly Detection ML anomaly detection :ml v8.0.0 v8.1.0

Comments

@qn895
Copy link
Member

qn895 commented Oct 28, 2021
edited by droberts195
Loading

Kibana version:
7.13.3

Elasticsearch version:
N/A

Describe the bug:
Currently, it will take a long time to get results from /api/ml/modules/recognize especially if the index pattern includes indices that are frozen.

Steps to reproduce:

  1. Create a data view like apm-*-transaction*,auditbeat-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-* where some indices are frozen
  2. Open ML Job Settings in the Security App - Detections page
  3. Wait until the spinners are done - which may take a minute or so

Expected behavior:
Jobs should be recognized in less than a minute

Any additional context:
We can set the elasticsearch query to respect the UI setting if it's set to ignore frozen in searches.
@qn895 qn895 added enhancement New value added to drive a business result :ml Feature:Anomaly Detection ML anomaly detection labels Oct 28, 2021
@qn895 qn895 self-assigned this Oct 28, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/ml-ui (:ml)

@peteharverson peteharverson added v8.1.0 v8.0.0 bug Fixes for quality problems that affect the customer experience and removed enhancement New value added to drive a business result labels Nov 1, 2021
@qn895 qn895 mentioned this issue Nov 2, 2021
Merged
@peteharverson
Copy link
Contributor

peteharverson commented Nov 5, 2021
edited
Loading

As per suggestion in #117208 (comment), the following should be added to the manifest query for all the data recognizer modules, in a bool query combining it with the other conditions that are already there:

"must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }

This also needs to be done for the ML modules in the apache and nginx integration packages.

And the change made in #117208 needs to be reverted.

@peteharverson peteharverson mentioned this issue Nov 5, 2021
Closed
@qn895 qn895 removed their assignment Nov 5, 2021
@peteharverson peteharverson self-assigned this Nov 9, 2021
@peteharverson peteharverson mentioned this issue Nov 9, 2021
Merged
This was referenced Nov 24, 2021
Merged
Merged
Merged
@peteharverson
Copy link
Contributor

Closing issue as the condition

"must_not": { "terms": { "_tier": [ "data_frozen", "data_cold" ] } }

has now been added to the manifest query for all the necessary modules shipped with the ML plugin in #119635 for 8.0.0, and for the Apache and Nginx integration packages.

@jgowdyelastic jgowdyelastic mentioned this issue Mar 15, 2023
Merged
jgowdyelastic added a commit that referenced this issue Mar 22, 2023
@jgowdyelastic
[ML] Reinstating cold and frozen tier filters for linux and windows s…
daaa4a7 
…ecurity modules (#153222)

The cold and frozen query filters which were added
[here](#116696) were
accidentally removed in this
[PR](#131166)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peteharverson peteharverson

Labels
bug Fixes for quality problems that affect the customer experience Feature:Anomaly Detection ML anomaly detection :ml v8.0.0 v8.1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peteharverson @elasticmachine @qn895