This Elastic Machine Learning training makes attendees autonomous with Machine Learning in the Elastic Stack: unsupervised anomaly detection on time series, forecasting, data frame analytics (outlier detection, regression, classification) and AIOps.
It covers the full lifecycle — from defining a detector to leveraging results in dashboards and alerting rules — using the Kibana sample data sets (eCommerce, web logs) and observability data.
Learning objectives
- Position Elastic ML in the supervised / unsupervised landscape (classification, regression, anomaly detection, outlier detection).
- Assess whether a data set is suitable for Elastic ML (time series, KPIs, colocation).
- Configure an anomaly detection job: detector, function, field, influencers, bucket span.
- Choose the right job wizard: single-metric, multi-metric, population, advanced, categorization, rare, geo.
- Analyze results with the Single Metric Viewer and Anomaly Explorer, and enrich them (annotations, swimlanes on dashboards).
- Run forecasting and manage models (calendars, scheduled events, model snapshots).
- Turn event-centric data into entity-centric data (pivot, latest) and run data frame analytics.
- Leverage the AIOps Labs (log rate analysis, log pattern analysis, change point detection).
- Create alerting rules on ML jobs and integrate results into Observability and Security.
Course outline
Day 1 — Anomaly detection (unsupervised, time series)
Module 1 — Introduction to Elastic Machine Learning
- ML in the Elastic Stack: anomaly detection, forecasting, language identification.
- Taxonomy: supervised (classification, regression) and unsupervised (anomaly detection, outlier detection).
- When to apply ML: time series, critical KPIs, colocated data.
- Anomaly detection AND anomaly scoring: typical questions (log rate, metric spikes, authentication attempts, unusual ports).
Module 2 — Anomaly detection fundamentals
- Anatomy of a job: historical data + real-time feed → model of normal behavior → anomalies.
- Components: detector (function + field), fields, influencers.
- Single detector vs multiple detectors.
- Configure a single-metric job: field, metric, bucket span, time range.
- Lab 2.2: create a single-metric job and interpret the first anomaly.
Module 3 — The job creation wizards
- Single metric: one detector.
- Multi-metric: several detectors on unrelated fields (CPU, event count, transaction duration).
- Population: unusual activity compared to a population (outliers).
- Advanced: full configuration of every job parameter.
- Categorization, Rare, Geo: log categories, rare values, geographic anomalies.
- Job validation, summary, real-time start and out-of-the-box ML jobs.
- Lab 3.2: out-of-the-box jobs + custom job (multi-metric and population).
Module 4 — Analyzing and leveraging results
- Single Metric Viewer: Actual vs Expected curve, 95% bounds, timeline, severity.
- Anomaly Explorer: swimlanes, filters, anomaly list, top influencers.
- Annotations: enrich results with business meaning; swimlanes and anomaly charts on dashboards.
- Forecasting from the Single Metric Viewer.
- Calendars & scheduled events, model snapshots and revert.
- Lab 4.3: analysis, annotations, forecast and swimlane on a dashboard.
Day 2 — Data Frame Analytics, AIOps and operationalization
Module 5 — Transforms: from event to entity
- Why transform: moving from event-centric to entity-centric data.
- Pivot (aggregation per entity) and Latest (most recent documents per entity).
- Transforms create a new index (they do not replace the original data).
- Build a transform: group by, fields to aggregate, preview.
- Lab 5.2: transform eCommerce orders into a customer-centric index.
Module 6 — Data Frame Analytics
- Data structures: time series → anomaly detection; data frame → outlier detection, regression, classification.
- Outlier detection (unsupervised): outlier score from 0 to 1, scatterplots.
- Regression and classification (supervised): trained models and the notion of inference.
- Lab 6.3: data frame analytics (outlier detection on the customer index).
Module 7 — AIOps Labs
- AIOps principle: automate IT operations through big data and ML.
- Explain log rate spikes: identify the reasons behind a log rate increase.
- Log pattern analysis: patterns in unstructured logs (also in Discover).
- Change point detection: spikes, dips, trend changes.
- Lab 7.2: get insights faster with the AIOps Labs.
Module 8 — Alerting and operationalizing ML
- ML alerting rules: anomaly detection alert (result types Bucket, Record, Influencer; severity level).
- Anomaly detection jobs health: monitor the health of the jobs themselves.
- Create ML jobs directly from Observability (Infrastructure, APM).
- Anomaly detection used by the Security Detection Engine.
- Lab 8.2: create an alerting rule on an anomaly detection job.
The Training Instructor
With over 110 training sessions conducted on Elastic technologies, your instructor is engaged in production work for 50% of the time, serving as an Elk and Elastic Stack consultant . You have an instructor who also possesses hands-on production experience.
2 days.
I can modulate the duration for your company.
WITH QUOTE
Rates are defined for you, in inter or intra company.
Custom
Go back to me. I will adapt duration, location and course content.
Who should attend
Data analysts and data scientists, SRE / DevOps and Observability engineers, security analysts and Elastic administrators.
Prerequisites
Basic Kibana skills (Discover, Data Views, Lens) and a grasp of time series and KPIs. No programming or data science prerequisite: Elastic ML is unsupervised and wizard-driven.
Method
Progression concept → instructor demo → lab → summary → quiz (3 questions per lesson). Validated through lab completion.
Training materials
You will get PDF training materials for all of my courses and code for Hands-on labs.
