elastic · kosabogi · Nov 25, 2024 · Nov 6, 2024 · Nov 18, 2024 · Nov 25, 2024
@@ -33,8 +33,8 @@ a {dfeed} will be required.
 You can create {anomaly-jobs} by using the
 {ref}/ml-put-job.html[create {anomaly-jobs} API]. {kib} also provides
 wizards to simplify the process, which vary depending on whether you are using
-the {ml-app} app, {security-app} or {observability} apps. In *{ml-app}* >
-*Anomaly Detection*:
+the {ml-app} app, {security-app} or {observability} apps. To open *Anomaly Detection*, 
+find *{ml-app}* in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
 
 [role="screenshot"]
 image::images/ml-create-job.png[Create New Job]

@@ -33,8 +33,8 @@ Avoid using human-generated data for categorization analysis.
 [[creating-categorization-jobs]]
 == Creating categorization jobs
 
-. In {kib}, navigate to **{ml-app} > Anomaly Detection > Jobs**.
-. Click **Create {anomaly-jobs}**, select the {data-view} you want to analyze.
+. In {kib}, navigate to *Jobs*. To open *Jobs*, find **{ml-app} > Anomaly Detection** in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
+. Click **Create job**, select the {data-view} you want to analyze.
 . Select the **Categorization** wizard from the list.
 . Choose a categorization detector - it's the `count` function in this example - and the field you want to categorize - the `message` field in this example.
 +

@@ -40,7 +40,7 @@ NOTE: You need to have a compatible visualization on **Dashboard** to create an
 which is based on the {kib} sample flight data set. Select the `Flight count` 
 visualization from the dashboard.
 
-. Go to **Analytics > Dashboard** and select a dashboard with a compatible 
+. Go to **Analytics > Dashboard** from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field]. Select a dashboard with a compatible 
 visualization.
 . Open the **Options (...) menu** for the panel, then select **More**.  
 . Select **Create {anomaly-job}**. The option is only displayed if the 

@@ -0,0 +1,96 @@
+[[ml-configuring-populations]]
+= Performing population analysis
+
+Population analysis is a method of detecting anomalies by comparing the behavior of entities or events within a specified population.
+In this approach, {ml} analytics create a profile of what is considered "typical" behavior for users, machines, or other entities over a specified time period.
+An entity is considered as anomalous when its behavior deviates from that of the population, indicating abnormal activity compared to the rest of the population.
+
+This type of analysis is most effective when the behavior within a group is generally homogeneous, allowing for the identification of unusual patterns.
+However, it is less useful when members of the population show vastly different behaviors.
+In such cases, you can segment your data into groups with similar behaviors and run separate jobs for each.
+This can be done by using a query filter in the datafeed or by applying the `partition_field_name` to split the analysis across different groups.
+
+Population analysis is resource-efficient and scales well, enabling the analysis of populations consisting of hundreds of thousands or even millions of entities with a lower resource footprint than analyzing each series individually.
+
+
+
+[discrete]
+[[population-recommendations]]
+== Recommendations
+
+* Use population analysis when the behavior within a group is mostly homogeneous, as it helps identify anomalous patterns effectively.
+* Leverage population analysis when dealing with large-scale datasets.
+* Avoid using population analysis when members of the population exhibit vastly different behaviors, as it may not be effective.
+
+
+[discrete]
+[[creating-population-jobs]]
+== Creating population jobs
+
+. In {kib}, navigate to *Jobs*. To open *Jobs*, find **{ml-app} > Anomaly Detection** in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
+. Click **Create job**, select the {data-source} you want to analyze.
+. Select the **Population** wizard from the list.
+. Choose a population field - it's the `clientip` field in this example - and the metric you want to use for the analysis - `Mean(bytes)` in this example.
++
+--
+[role="screenshot"]
+image::images/ml-population-wizard.png[Creating a population job in Kibana]
+--
+. Click **Next**.
+. Provide a job ID and click **Next**.
+. If the validation is successful, click **Next** to review the summary of the job creation.
+. Click **Create job**.
+
+[%collapsible]
+.API example
+====
+To specify the population, use the `over_field_name` property. For example:
+
+[source,console]
+----------------------------------
+PUT _ml/anomaly_detectors/population
+{
+  "description" : "Population analysis",
+  "analysis_config" : {
+    "bucket_span":"15m",
+    "influencers": [
+      "clientip"
+    ],
+    "detectors": [
+      {
+        "function": "mean",
+        "field_name": "bytes",
+        "over_field_name": "clientip" <1>
+      }
+    ]
+  },
+  "data_description" : {
+    "time_field":"timestamp",
+    "time_format": "epoch_ms"
+  }
+}
+----------------------------------
+// TEST[skip:needs-licence]
+
+<1> This `over_field_name` property indicates that the metrics for each client (as identified by their IP address) are analyzed relative to other clients in each bucket.
+====
+
+[discrete]
+[[population-job-results]]
+=== Viewing the job results
+
+Use the **Anomaly Explorer** in {kib} to view the analysis results:
+
+[role="screenshot"]
+image::images/ml-population-anomalies.png["Population results in the Anomaly Explorer"]
+
+The results are often quite sparse.
+There might be just a few data points for the selected time period.
+Population analysis is particularly useful when you have many entities and the data for specific entitles is sporadic or sparse.
+If you click on a section in the timeline or swim lanes, you can see more details about the anomalies:
+
+[role="screenshot"]
+image::images/ml-population-anomaly.png["Anomaly details for a specific user"]
+
+In this example, the client IP address `167.145.234.154` received a high volume of bytes on the date and time shown.
+This event is anomalous because the mean is four times higher than the expected behavior of the population.
@@ -7,7 +7,7 @@ resilience. It makes it possible to reset the model to a previous state in case
 of a system failure or if the model changed significantly due to a one-off 
 event.
 
-. In {kib}, navigate to **{ml-app} > Anomaly Detection > Jobs**.
+. In {kib}, navigate to *Jobs*. To open *Jobs*, find **{ml-app} > Anomaly Detection** in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
 . Locate the {anomaly-job} whose model you want to revert in the job table.
 . Open the job details and navigate to the **Model Snapshots** tab.
 +

@@ -1,6 +1,6 @@
 tag::dfa-deploy-model[]
 . To deploy {dfanalytics} model in a pipeline, navigate to  **Machine Learning** > 
-**Model Management** > **Trained models** in {kib}.
+**Model Management** > **Trained models** in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field] in {kib}.
 
 . Find the model you want to deploy in the list and click **Deploy model** in 
 the **Actions** menu.

@@ -34,7 +34,7 @@ request rate on your web site drops significantly.
 
 Let's start by looking at this simple job in the **Single Metric Viewer**:
 
-. Select the *Anomaly Detection* tab in *{ml-app}* to see the list of your
+. Select the *Jobs* tab in *{ml-app}* to see the list of your
 {anomaly-jobs}.
 
 . Click the chart icon in the *Actions* column for your `low_request_rate` job
@@ -151,7 +151,7 @@ look at both high and low request rates partitioned by response code.
 Let's start by looking at the `response_code_rates` job in the
 **Anomaly Explorer**:
 
-. Select the *Anomaly Detection* tab in *{ml-app}* to see the list of your
+. Select the *Jobs* tab in *{ml-app}* to see the list of your
 {anomaly-jobs}.
 
 . Open the `response_code_rates` job in the Anomaly Explorer to view its results

@@ -17,7 +17,7 @@ exception for your {kib} URL.
 
 --
 
-. Click *Machine Learning* in the {kib} main menu.
+. Open *Machine Learning* from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
 
 . Select the *{data-viz}* tab.
 

@@ -92,7 +92,7 @@ NOTE: For most cases, the preferred version is the **Intel and Linux optimized**
 [[trained-model-e5]]
 ==== Using the Trained Models page
 
-1. In {kib}, navigate to **{ml-app}** > **Trained Models**. E5 can be found in 
+1. In {kib}, navigate to **{ml-app}** > **Trained Models** from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field]. E5 can be found in 
 the list of trained models. There are two versions available: one portable 
 version which runs on any hardware and one version which is optimized for Intel® 
 silicon. You can see which model is recommended to use based on your hardware 
@@ -250,7 +250,7 @@ xpack.ml.model_repository: file://${path.home}/config/models/`
 . Repeat step 2 and step 3 on all master-eligible nodes.
 . {ref}/restart-cluster.html#restart-cluster-rolling[Restart] the 
 master-eligible nodes one by one.
-. Navigate to the **Trained Models** page in {kib}, E5 can be found in the 
+. Navigate to the **Trained Models** page from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field] in {kib}. E5 can be found in the 
 list of trained models.
 . Click the **Add trained model** button, select the E5 model version you 
 downloaded in step 1 and want to deploy and click **Download**. The selected 

@@ -351,7 +351,7 @@ master-eligible nodes can reach the server you specify.
 . Repeat step 5 on all master-eligible nodes.
 . {ref}/restart-cluster.html#restart-cluster-rolling[Restart] the 
 master-eligible nodes one by one.
-. Navigate to the **Trained Models** page in {kib}, ELSER can be found in the 
+. Navigate to the **Trained Models** page from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field] in {kib}. ELSER can be found in the 
 list of trained models.
 . Click the **Add trained model** button, select the ELSER model version you 
 downloaded in step 1 and want to deploy, and click **Download**. The selected 
@@ -391,7 +391,7 @@ xpack.ml.model_repository: file://${path.home}/config/models/`
 . Repeat step 2 and step 3 on all master-eligible nodes.
 . {ref}/restart-cluster.html#restart-cluster-rolling[Restart] the 
 master-eligible nodes one by one.
-. Navigate to the **Trained Models** page in {kib}, ELSER can be found in the 
+. Navigate to the **Trained Models** page from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field] in {kib}. ELSER can be found in the 
 list of trained models.
 . Click the **Add trained model** button, select the ELSER model version you 
 downloaded in step 1 and want to deploy and click **Download**. The selected 
@@ -407,7 +407,7 @@ allocations and threads per allocation values.
 == Testing ELSER
 
 You can test the deployed model in {kib}. Navigate to **Model Management** > 
-**Trained Models**, locate the deployed ELSER model in the list of trained 
+**Trained Models** from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field] in {kib}. Locate the deployed ELSER model in the list of trained 
 models, then select **Test model** from the Actions menu.
 
 You can use data from an existing index to test the model. Select the index, 

@@ -18,7 +18,7 @@ can use it to perform {nlp} tasks in ingest pipelines.
 == Add an {infer} processor to an ingest pipeline
 
 In {kib}, you can create and edit pipelines in **{stack-manage-app}** >
-**Ingest Pipelines**.
+**Ingest Pipelines**. To open **Ingest Pipelines**, find **{stack-manage-app}** in the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
 
 [role="screenshot"]
 image::images/ml-nlp-pipeline-lang.png[Creating a pipeline in the Stack Management app,align="center"]

@@ -294,7 +294,7 @@ You can create a tag cloud to visualize your data processed by the {infer}
 pipeline. A tag cloud is a visualization that scales words by the frequency at 
 which they occur. It is a handy tool for viewing the entities found in the data.
 
-In {kib}, open **Stack management** > **{data-sources-cap}**, and create a new 
+In {kib}, open **Stack management** > **{data-sources-cap}** from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field], and create a new 
 {data-source} from the `les-miserables-infer` index pattern. 
 
 Open **Dashboard** and create a new dashboard. Select the
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,7 @@ exception for your {kib} URL. @@
     --
-    . Click *Machine Learning* in the {kib} main menu.
+    . Open *Machine Learning* from the main menu, or use the {kibana-ref}/kibana-concepts-analysts.html#_finding_your_apps_and_objects[global search field].
     . Select the *{data-viz}* tab.
@@ Expand Down @@