Elastic machine learning training

Anomaly detection, forecasting and data frame analytics with Elastic.

This Elastic Machine Learning training makes attendees autonomous with Machine Learning in the Elastic Stack: unsupervised anomaly detection on time series, forecasting, data frame analytics (outlier detection, regression, classification) and AIOps.

It covers the full lifecycle — from defining a detector to leveraging results in dashboards and alerting rules — using the Kibana sample data sets (eCommerce, web logs) and observability data.

Learning objectives

  • Position Elastic ML in the supervised / unsupervised landscape (classification, regression, anomaly detection, outlier detection).
  • Assess whether a data set is suitable for Elastic ML (time series, KPIs, colocation).
  • Configure an anomaly detection job: detector, function, field, influencers, bucket span.
  • Choose the right job wizard: single-metric, multi-metric, population, advanced, categorization, rare, geo.
  • Analyze results with the Single Metric Viewer and Anomaly Explorer, and enrich them (annotations, swimlanes on dashboards).
  • Run forecasting and manage models (calendars, scheduled events, model snapshots).
  • Turn event-centric data into entity-centric data (pivot, latest) and run data frame analytics.
  • Leverage the AIOps Labs (log rate analysis, log pattern analysis, change point detection).
  • Create alerting rules on ML jobs and integrate results into Observability and Security.

Course outline

Day 1 — Anomaly detection (unsupervised, time series)

Module 1 — Introduction to Elastic Machine Learning

  • ML in the Elastic Stack: anomaly detection, forecasting, language identification.
  • Taxonomy: supervised (classification, regression) and unsupervised (anomaly detection, outlier detection).
  • When to apply ML: time series, critical KPIs, colocated data.
  • Anomaly detection AND anomaly scoring: typical questions (log rate, metric spikes, authentication attempts, unusual ports).

Module 2 — Anomaly detection fundamentals

  • Anatomy of a job: historical data + real-time feed → model of normal behavior → anomalies.
  • Components: detector (function + field), fields, influencers.
  • Single detector vs multiple detectors.
  • Configure a single-metric job: field, metric, bucket span, time range.
  • Lab 2.2: create a single-metric job and interpret the first anomaly.

Module 3 — The job creation wizards

  • Single metric: one detector.
  • Multi-metric: several detectors on unrelated fields (CPU, event count, transaction duration).
  • Population: unusual activity compared to a population (outliers).
  • Advanced: full configuration of every job parameter.
  • Categorization, Rare, Geo: log categories, rare values, geographic anomalies.
  • Job validation, summary, real-time start and out-of-the-box ML jobs.
  • Lab 3.2: out-of-the-box jobs + custom job (multi-metric and population).

Module 4 — Analyzing and leveraging results

  • Single Metric Viewer: Actual vs Expected curve, 95% bounds, timeline, severity.
  • Anomaly Explorer: swimlanes, filters, anomaly list, top influencers.
  • Annotations: enrich results with business meaning; swimlanes and anomaly charts on dashboards.
  • Forecasting from the Single Metric Viewer.
  • Calendars & scheduled events, model snapshots and revert.
  • Lab 4.3: analysis, annotations, forecast and swimlane on a dashboard.

Day 2 — Data Frame Analytics, AIOps and operationalization

Module 5 — Transforms: from event to entity

  • Why transform: moving from event-centric to entity-centric data.
  • Pivot (aggregation per entity) and Latest (most recent documents per entity).
  • Transforms create a new index (they do not replace the original data).
  • Build a transform: group by, fields to aggregate, preview.
  • Lab 5.2: transform eCommerce orders into a customer-centric index.

Module 6 — Data Frame Analytics

  • Data structures: time series → anomaly detection; data frame → outlier detection, regression, classification.
  • Outlier detection (unsupervised): outlier score from 0 to 1, scatterplots.
  • Regression and classification (supervised): trained models and the notion of inference.
  • Lab 6.3: data frame analytics (outlier detection on the customer index).

Module 7 — AIOps Labs

  • AIOps principle: automate IT operations through big data and ML.
  • Explain log rate spikes: identify the reasons behind a log rate increase.
  • Log pattern analysis: patterns in unstructured logs (also in Discover).
  • Change point detection: spikes, dips, trend changes.
  • Lab 7.2: get insights faster with the AIOps Labs.

Module 8 — Alerting and operationalizing ML

  • ML alerting rules: anomaly detection alert (result types Bucket, Record, Influencer; severity level).
  • Anomaly detection jobs health: monitor the health of the jobs themselves.
  • Create ML jobs directly from Observability (Infrastructure, APM).
  • Anomaly detection used by the Security Detection Engine.
  • Lab 8.2: create an alerting rule on an anomaly detection job.

The Training Instructor

With over 110 training sessions conducted on Elastic technologies, your instructor is engaged in production work for 50% of the time, serving as an Elk and Elastic Stack consultant . You have an instructor who also possesses hands-on production experience.

Learn more about your instructor.

Duration

2 days.

I can modulate the duration for your company.

Rates

WITH QUOTE

Rates are defined for you, in inter or intra company.

GET A QUOTE

Custom

Go back to me. I will adapt duration, location and course content.

Who should attend

Data analysts and data scientists, SRE / DevOps and Observability engineers, security analysts and Elastic administrators.

Prerequisites

Basic Kibana skills (Discover, Data Views, Lens) and a grasp of time series and KPIs. No programming or data science prerequisite: Elastic ML is unsupervised and wizard-driven.

Method

Progression concept → instructor demo → lab → summary → quiz (3 questions per lesson). Validated through lab completion.

Training materials

You will get PDF training materials for all of my courses and code for Hands-on labs.