Understand Intelligent Anomaly Analysis Output Fields - Simple Log Service

Intelligent Anomaly Analysis stores its results in a Logstore named internal-ml-log. This topic describes the fields in these results.

Important

Starting July 15, 2025 (UTC+8), the intelligent anomaly analysis feature will no longer be available to new users. Existing users can continue to use it.

Scope of impact
The following core features will be unpublished: intelligent health check, text analytics, and time series forecasting.
Feature Migration Solutions
The machine learning syntax, scheduled query and analysis (scheduled SQL), and dashboard features of Simple Log Service can fully replace the unpublished features.

Common tag structure

The result data for all task types includes the following common fields.

Note

You can query result data for a task using the __tag__:__job_name__ and __tag__:__schedule_id__ fields.

__tag__:__apply_time__:1638414250
__tag__:__batch_id__:a8343****5b0fd
__tag__:__data_type__:anomaly_detect
__tag__:__instance_name__:29030-****7bcdd
__tag__:__job_name__:etl-1637****3966-398245
__tag__:__model_name__:d52b5****c45397
__tag__:__region__:chengdu
__tag__:__schedule_id__:2457f****ebcdd

Field	Description
`__tag__:__apply_time__`	The time when the model inspects the data batch, in seconds.
`__tag__:__batch_id__`	The batch ID. All data processed in a single algorithm run is tagged with the same batch ID.
`__tag__:__data_type__`	The type of data. The valid values are: job_statistic: Statistical data generated during the task run. job_progress: Output data showing the inspection progress for an entity. anomaly_detect: Result data for detected anomalies. detection_process: Detection result data from a model training task. eval_report: Results for the validation set of each entity after a model training task completes.
`__tag__:__instance_name__`	The name of the task instance, which consists of the project ID and the schedule ID. Each intelligent inspection task maps to an instance name in the backend service.
`__tag__:__job_name__`	The task name. The name must be unique within a project.
`__tag__:__model_name__`	The model name. A unique model is created for each entity in the task, and each model name corresponds to a time series entity.
`__tag__:__region__`	The region where the task runs.
`__tag__:__schedule_id__`	The task instance ID. Each task maps to an instance ID in the backend service.

Intelligent inspection (model training)

Different values for the tag:data_type field represent different log types.

Runtime statistics

When the __tag__:__data_type__ field in the result data for your model training task is set to job_statistic, the data represents runtime statistics for the task.

Parameter	Description
meta	Describes the Project and Logstore that contain the data source for the model training task. The data is in JSON format.
project_name	The Project that contains the data source for the model training task.
logstore_name	The Logstore that contains the data source for the model training task.
result	The result content in JSON format.
event_msg	Describes the progress of the model training task at the specified timestamp.
occ_time	The timestamp for the model training task's progress.
tips	Summarizes the progress of the model training task. For example, "Model saved".

Detection results

When the __tag__:__data_type__ field in the result data for your model training task is set to detection_process, the data represents the detection results for the task.

Parameter	Description
meta	Describes the Project and Logstore that contain the data source for the model training task. The data is in JSON format.
project_name	The Project that contains the data source for the model training task.
logstore_name	The Logstore that contains the data source for the model training task.
result	The result content in JSON format.
dim_name	The name of a feature of the entity.
score	The anomaly score of a feature of the entity at a specific time.
value	The value of a feature of the entity at a specific time.
is_train_step	Indicates whether the data point for the entity belongs to the training set.

Validation set results

When the __tag__:__data_type__ field in the result data for your model training task is set to eval_report, the data represents the validation set results for each entity after the task is complete.

Parameter	Description
entity	Identifies the entity to which the model belongs. The data is in key-value pair format.
meta	Describes the Project and Logstore that contain the data source for the model training task. The data is in JSON format.
project_name	The Project that contains the data source for the model training task.
logstore_name	The Logstore that contains the data source for the model training task.
result	The result content in JSON format.
evaluation_metrics.auc	The auc for the validation set, computed by the entity's supervised model.
evaluation_metrics.macro_f1	The macro F1 score for the validation set, computed by the entity's supervised model.
evaluation_metrics.precision	The precision for the validation set, computed by the entity's supervised model.
evaluation_metrics.recall	The recall for the validation set, computed by the entity's supervised model.
time_config.training_start_time	The start time of model training for the entity, in seconds.
time_config.training_stop_time	The end time of model training for the entity, in seconds.
time_config.validation_end_time	The end time of model validation for the entity, in seconds.
time_config.predict_time	The duration of model validation for the entity, in seconds.
time_config.train_time	The duration of model training for the entity, in seconds.
statistic.train_data_meta.train_anomaly_num	The number of anomaly points in the training set for the entity.
statistic.train_data_meta.train_data_length	The length of the training set for the entity.
statistic.evaluation_data_meta.evaluation_anomaly_num	The number of anomaly points in the validation set for the entity.
statistic.evaluation_data_meta.evaluation_data_length	The length of the validation set for the entity.

Intelligent inspection

The tag:data_type field specifies the log type.

Runtime statistics

If the __tag__:__data_type__ field in the result data is set to job_statistic, the data contains the runtime statistics for the task.

{
  "__tag__:__job_name__": "etl-1637133966-398245",
  "__tag__:__region__": "chengdu",
  "__tag__:__data_type__": "job_statistic",
  "__tag__:__apply_time__": "1638415928",
  "__tag__:__instance_name__": "29030-2457fbbd724de9421da8c73d37debcdd",
  "result": {
    "maxEntity": {
      "host": "machine_001",
      "ip": "192.0.2.1"
    },
    "maxTime": 1638415994,
    "minEntity": {
      "host": "machine_001",
      "ip": "192.0.2.1"
    },
    "minTime": 1638415994,
    "nTotalEntity": 1
  }
}

Parameter	Description
result	The result object. The data is in JSON format.
maxEntity	Information about the entity with the latest data point relative to the current data consumption.
maxTime	The timestamp of the most recent data point from an entity, relative to the current data consumption.
nTotalEntity	The total number of entities the current task is inspecting.

Entity inspection progress

If the __tag__:__data_type__ field in the result data is set to job_progress, the data shows the inspection progress for a specific entity. This information helps you determine if a new entity is detected or an existing one has stopped sending data.

{
  "__tag__:__job_name__": "etl-1637133966-398245",
  "__tag__:__region__": "chengdu",
  "__tag__:__data_type__": "job_progress",
  "__tag__:__apply_time__": "1638415883",
  "__tag__:__instance_name__": "29030-2457fbbd724de9421da8c73d37debcdd",
  "result": {
    "new_entity": false,
    "recently_arrived_time": 1638415994
  },
  "meta": {
    "logstore_name": "machine_monitor",
    "project_name": "sls-ml-demo"
  },
  "entity": {
    "host": "machine_001",
    "ip": "192.0.2.1"
  }
}

Parameter	Description
meta	A JSON object that contains information about the project and Logstore for the current task.
project_name	The project that contains the data source for the real-time inspection task.
logstore_name	The Logstore that contains the data source for the real-time inspection task.
result	The result object. The data is in JSON format.
new_entity	Indicates whether a new entity is detected.
recently_arrived_time	The timestamp of the last valid data point received from the entity specified in the entity field.
entity	A JSON object containing the dimensions that identify the entity.

Anomaly result data

If the __tag__:__data_type__ field in the result data is set to anomaly_detect, the data contains anomaly detection results.

{
  "__time__": 1638416474,
  "__tag__:__batch_id__": "a5870979816fc507cbeebc6b1133af0a",
  "__tag__:__schedule_id__": "2457fbbd724de9421da8c73d37debcdd",
  "__tag__:__apply_time__": "1638416291",
  "__tag__:__job_name__": "etl-1637133966-398245",
  "__tag__:__model_name__": "d52b59a6bfb3adcf2ee62a5064c45397",
  "__tag__:__data_type__": "anomaly_detect",
  "__tag__:__region__": "chengdu",
  "__tag__:__instance_name__": "29030-2457fbbd724de9421da8c73d37debcdd",
  "result": {
    "anomaly_type": "None",
    "dim_name": "value",
    "is_anomaly": false,
    "score": 0,
    "value": "0.780000"
  },
  "meta": {
    "logstore_name": "machine_monitor",
    "project_name": "sls-ml-demo"
  },
  "entity": {
    "host": "machine_001",
    "ip": "192.0.2.1"
  }
}

Parameter	Description
entity	A JSON object derived from the source data that identifies the specific monitoring entity.
meta	A JSON object derived from the configuration of the intelligent inspection task.
project_name	The project that contains the Logstore.
logstore_name	The Logstore that contains the data source.
result	The result object containing the intelligent inspection result for each data point.
dim_name	The name of the metric, which is derived from the source data. For both univariate and multivariate time series, each result object contains the inspection outcome for a single metric.
value	The value of the metric identified by result.dim_name, derived from the source data.
score	An anomaly score from 0 to 1 that quantifies the severity of an anomaly. A higher score indicates a more severe anomaly.
is_anomaly	Indicates whether the data point is considered an anomaly. If result.score is greater than 0.5, this value is `true`. If result.score is greater than 0.75, this value is `true` and an alert is triggered.
anomaly_type	The anomaly type as preliminarily determined by the model. Supported types include: spike, drift, jitter, missing, and threshold exceeded. For more information, see Anomaly types.

Text analysis

This table lists the common fields for text analysis, excluding common tag fields.

Parameter	Description
algo_type	The algorithm type.
result_type	The result type.
result	The result content, in JSON format. The value of the result field depends on the value of the result_type field.
meta	The metadata, in JSON format.
project_name	The Project that contains the Logstore.
LogStore_name	The Logstore that contains the data source.
topic	The log topic of the data source.
query	The method for pulling data, such as using a consumer group.
win_size	The length of the time window.
version	The algorithm version.

The value of the result field depends on the result_type field. The result field is described in detail as follows.

The result_type field is cluster_info

When the result_type field is cluster_info, the result field contains log category information as follows:

"result": {
  "cluster_id": "xxxx",
  "cluster_pattern": "xxxx",
  "cluster_active_age": 120,
  "cluster_alive_age": 150,
  "anomaly_score": 0.1,
  "count": 2,
  "source": []
}

Parameter	Description
result.cluster_id	The ID of the log category.
result.cluster_pattern	The log template for the log category.
result.cluster_active_age	The number of time windows in which the log category has been active. A log category is active in a time window if logs from that category appear in that window.
result.cluster_alive_age	The number of time windows since the log category first appeared.
result.anomaly_score	The anomaly score of the log category.
result.count	The number of logs in the log category.
result.source	The possible values for the variables in the log template.

result_type field is group_info

When the result_type field is group_info, the result field contains information about the log category group, as follows:

"result": {
  "group_anomaly_score": 0.1,
  "group_age": 10,
  "group_n_event": 190,
  "group_n_cluster": 10
}

Parameter	Description
result.group_anomaly_score	The anomaly score of the log category group.
result.group_age	The sequence number of the current time window.
result.group_n_event	The total number of logs in the log category group during the current time window.
result.group_n_cluster	The total number of log categories in the log category group during the current time window.

result_type field is anomaly_info

When the result_type field is anomaly_info, the result field contains information about the anomaly event, as follows:

"result": {
  "anomaly_id": "xxxx",
  "anomaly_type": "xxxx",
  "value": 0,
  "anomaly_score": 0.0,
  "expect_lower": 0.0,
  "expect_upper": 0.0
}

Parameter	Description
result.anomaly_id	The ID of the log category associated with the anomaly.
result.anomaly_type	The anomaly type.
result.value	The event value. The result.anomaly_type field value determines the meaning of the result.value field.
result.anomaly_score	The anomaly score.
result.expect_lower	The lower limit of the expected event value (result.value field).
result.expect_upper	The upper limit of the expected event value in the result.value field.

Time series forecasting

This table describes the common fields in time series forecasting results, excluding common tag fields.

Parameter	Description
algo_type	The algorithm type. The value is `series_prediction`.
result_type	The result type. The value is `prediction_ok` for a successful operation or `prediction_error` for a failed operation.
result	The result content, in JSON format. The value of the result field depends on the value of the result_type field.
meta	The metadata, in JSON format.
project_name	The name of the Project that contains the Logstore.
LogStore_name	The name of the Logstore that contains the data source.
topic	The log topic of the data source.
version	The algorithm version.

The structure of the result field depends on the value of the result_type field. The following sections describe the result field in detail.

When result_type is prediction_ok

When the result_type field is prediction_ok, the forecast is successful. Each log contains the forecast result for a point in the time series. The corresponding result field is structured as follows:

{
  "entity": "xxxx",
  "metric": "xxxx",
  "time": xxxx,
  "value": "xxxx",
  "expect_value": "xxxx",
  "expect_lower": "xxxx",
  "expect_upper": "xxxx"
}

Parameter	Description
result.entity	The entity ID of the time series.
result.metric	The metric of the time series.
result.time	The timestamp of the current point in the time series.
result.value	The actual value of the current point.
result.expect_value	The forecast value for the current point.
result.expect_lower	The forecast lower limit for the current point.
result.expect_upper	The forecast upper limit for the current point.

When result_type is prediction_error

When the result_type field is prediction_error (in which case the __tag__:__data_type__ field is job_error_message), the forecast failed. The corresponding result field is structured as follows:

{
  "entity": "xxxx",
  "metric": "xxxx",
  "error_type": "xxxx",
  "error_msg": "xxxx"
}

Parameter	Description
result.entity	The entity ID of the time series.
result.metric	The metric of the time series.
result.error_type	The error type.
result.error_msg	The error details.

Drill-down analysis

This table lists the common fields in drill-down analysis results, excluding common tag fields.

Parameter

Description

result

The result is a JSON object.

The result field's value depends on the __tag__:__data_type__ field.

The __tag__:__data_type__ field indicates the log type.

Progress

When the value of the tag:data_type field is job_progress, the result field contains progress information for the task.

Field	Description
result.from_ts	The start time of the task.
result.to_ts	The end time of the task. A value of `inf` indicates that the task is ongoing.
result.progress	The current progress of the task.
result.message	Status information about the task's current progress.

Status

When the value of the tag:data_type field is job_status, the result field contains status information for the drill-down analysis task.

Field	Description
result.from_ts	The start time of the task.
result.to_ts	The end time of the task. A value of `inf` indicates that the task is ongoing.
result.status	The status of the task.
result.message	The status information for the task.

Root cause

When the value of the tag:data_type field is root_cause, the result field contains root cause information from the drill-down analysis.

Field	Description
result.status	Specifies whether a root cause was found for the event. Valid values are: `success`: A root cause was found. `fail`: No root cause was found.
result.snapshot_time	The timestamp of the multi-dimensional time series data used for the drill-down analysis.
result.elapsed_time	The duration of the root cause analysis for the event.
result.event_info	The event that triggered the root cause analysis.
result.root_cause	If result.status is `success`, this field contains the results of the root cause analysis.
result.reason	If result.status is `fail`, this field explains why no root cause was found.