Open
Description
There is a discrepancy between the typical values in the records and in the anomaly_score_explanation. This may be ligitamite, but then it's confusing since both fields have similar names. We need to investigate where the discrepancy comes from.
Example:
{
"job_id": "logs-2",
"result_type": "record",
"probability": 1.3270118176914605e-10,
"multi_bucket_impact": -5,
"record_score": 98.23845097090914,
"initial_record_score": 98.23845097090914,
"bucket_span": 900,
"detector_index": 0,
"is_interim": false,
"timestamp": 1744461000000,
"function": "count",
"function_description": "count",
"typical": [
6.350539918419784
],
"actual": [
63
],
"anomaly_score_explanation": {
"anomaly_type": "spike",
"anomaly_length": 1,
"single_bucket_impact": 13,
"anomaly_characteristics_impact": 7,
"lower_confidence_bound": 1.950348036227763,
"typical_value": 6.273279374077203,
"upper_confidence_bound": 13.662117549841197,
"high_variance_penalty": true,
"multimodal_distribution": true,
"by_field_relative_rarity": 1
},
"ip": [
"30.156.16.163"
],
"clientip": [
"30.156.16.164"
]
}