Perform real time anomaly detection using Google Cloud’s Timeseries Insights API — Part I
Overview of an easy to use API to scale billions of timeseries with low latency anomaly detection and forecasting
This is first of the two part article on real time anomaly detection using Google Cloud’s Timeseries Insight API. In this article, I’ll cover how to create dataset for anomaly detection and how to query for anomaly. The part-II will focus on how to add new events in streaming fashion and get anomaly on newly added data and how to delete unwanted timeseries datasets.
Time series forecasting and anomaly detection are common use cases in ML and used widely across different industries for example traffic forecasting, demand planning, stock inventory etc. Most of these existing systems run forecasting and anomaly detection as batch jobs. In this tutorial, I’ll explain and demonstrate a use case to detect anomalies in near real time (sub second latency) using Google Cloud’s Timeseries Insights API.
So what is Timeseries Insights API and why and where would you use it?
Google Cloud’s Timeseries Insights API is a general purpose anomaly detection framework which provides low cost, low latency and high scalability solution.
There are multiple anomaly detection methods exists today. These range from simple ones, based on observing a threshold over time to more complex ones which dynamically adjust the resolution interval. The key limitation of these systems is the cost of analyzing a timeseries and picking interesting ones. In addition to this, forecasting and anomaly detection over billions of timeseries is computationally expensive when runs in batch fashion. This is the critical limitation for doing online and real time analysis for example: send an alert to users based on event dimension value fluctuations.
The main goal of doing timeseries forecasting and using it for anomaly detection with timeseries Insights API are:
- Scale to billions of timeseries (timeseries => series of counts over time for a given event)
- Real time latency (sub second) for forecasting and anomaly detection
- Provide comparatively cheaper batch inference for timeseries forecasting
Let’s understand how Timeseries Insights API works with an example and see it in action. There are 4 main methods to interact with API and get things going. These are:
- Create and load dataset
- Query dataset
- Update dataset (append streaming/new events in an existing datasets)
- Delete dataset
We will cover first methods in this article. You can checkout the official API documentations for setup instructions for the API and set up appropriate permissions. Now let’s get to the fun part:
We are using a fictitious IoT dataset. The data comes from a single sensor and an event is streamed every 25 seconds or so with readings of attributes like light, temperature, hydrogen, humidity values within a warehouse. The dataset consists roughly 3 months of data and has 202K rows. We will use this dataset in this exercise. Here are some sample rows from dataset:
and here is how the values of each attributes looks like over the period of time:
As you can see in the plot above, the values of light fluctuated a lot and values for light and temperature were more or less consistent except some days where there was a sharp increase in temperature values and sharp decline in hydrogen values around the same time. For analysis in this article, I am going to consider only temperature values and we will try to detect the anomalies in the temperature values.
If you look closely to only temperature values, it spiked very quickly between 06/21/21 to 06/28/21. For this tutorial, this timeframe will be used to query to check anomalies in temperature values
1. Creating dataset
Before we query for anomaly using Timeseries Insight API, we will need to create dataset within API using historical dataset. a dataset is a collection of events and queries are performed using this dataset. API expects this data to be in certain json format. A sample of an event in this format for given dataset looks like below:
{“groupId”:”-8865179820473228792",
”eventTime”:”2021–06–14T00:02:24+00:00",
”dimensions”:
[{“name”:”measure”,”stringVal”:”LTTH”},{“name”:”Humidity”,”doubleVal”:36},
{“name”:”Light”,”doubleVal”:102},
{“name”:”h2_raw”,”doubleVal”:1040},{“name”:”temp”,”doubleVal”:36.95}]}Here this one event represents one row from tabular dataset shown in image previously. Let’s first understand the different components for creating dataset in Timeseries Insights API. The resource section of this article has the link for the notebook that contains the full code to convert tabular data to json required format.
groupId here represents each unique event in your dataset. Think of this as an event identifier and since each row in our dataset is one event, we have a unique groupId for each event in above transformed json format. I used FARM_FINGERPRINT hash function from BigQuery to generate this. The purpose of group is to compute correlation among events from same group. Note that if you do not have this in your dataset then a groupId will be autogenerated using timestamp and other content from your dataset therefore its better to create it yourself for complete control of schema.
eventTime (case sensitive) is nothing but timestamp of your event.
dimensions are the properties for given event. It can be categorical or numerical. You can also think of this as different attributes of your timeseries data. Note that each dimension will have name and its values using stringVal, doubleVal or longVal
Note: notice that json event contains a dimension with key value pair named “measure” and “LTTH” but our original dataset does not have column with same name.
This has to do with a concept called slice within timeseries insights API. A slice is subset of all events within dataset that have some values across some categorical dimension but since we do not have any such attribute/column in our dataset (all attributes are numerical), we need to create a dummy one of type categorical and since each event in our dataset is unique and there is no hierarchy, we can use some arbitrary string value for this dummy dimension which will have same value for each event.
In future, slicing using numerical dimension will be supported by the API
That’s all you need to know to create dataset in required format. The transformed json file now has 202k rows (same as original dataset). Now before this dataset can be created, we’ll need to move this json file to a cloud storage bucket. You can use following command to move file in a bucket in cloud storage:
gsutil cp transformed.json gs://<my-data-bucket-name>The next step is to issue a create dataset command to timeseries insights API to create dataset with all historical records.
In the code above, file data is json payload used to create dataset. First, provide a dataset name (sensor-data here), Then ttl is set which is a parameter set that determines how long the dataset data should be stored for before being discarded. This states that the events being appended (for new incoming data) must be newer than current time minus ttl value. Then dataNames parameter is a list of all the dimensions present in your dataset. Essentially, you want to include all dimension here that you wish to query for anomaly and forecasting. Lastly, dataSources is gcs location of your transformed json file that contains the historical data.
This create request returns success if API server accepts it. you can submit another request to see or list the dataset. Initially the job will be “LOADING” status until indexing completes for all the dimensions, then status becomes as “LOADED”, and this indicates that dataset can start accepting the queries and updates for anomaly and forecasting.
Checking status and list all datasets in API server by running following code
Following is the response you’ll see. You can see the dataset name, all indexed dimensions, dataset uri of your json file in cloud storage and number or rows in the dataset. Note that you can only query dataset when the status is LOADED and depending on the size of your data, it can take a while before it indexed and ready for query.
{'datasets': [{'name': 'projects/your-project-name/locations/us-central1/datasets/sensor-data',
'dataNames': ['measure', 'Humidity', 'Light', 'h2_raw', 'temp'],
'dataSources': [{'uri': 'gs://<your-bucket-name>/transformed.json'}],
'state': 'LOADED',
'status': {'message': 'name: "num-items-examined"\nvalue: 202267\n,name: "num-items-ingested"\nvalue: 202267\n,name: "processed-session"\nvalue: 202267\n'}}]}2. Query for anomaly
Once the dataset has been successfully created and is in the Loaded status, API is ready to accept the queries for anomalies or forecasting. Similar to creating dataset, there is query data json payload that will be used to make HTTP request to API. Following is an example payload for querying for anomaly in temperature value.
At high level, Timeseries Insights API anomaly detection query verifies if there are any slices in dataset that have an expected value at given specific point in time and this is called detection time. There are four top level parameters that you need to be aware of:
- detectionTime: detection time indicates the moment in time we want to analyze and raise an anomaly if the expected value if different than the actual value of metric you selected for.
- slicingParams: Slicing indicates how the events are grouped into slides and controlled at query time. dimensionNames parameter takes a list of dimensions that you can use to slice your data. In query above, we are using dummy dimension measure. Remember, currently you can only use dimension of type string to slice your data. In future, there will be support to slice data using numeric dimension.
- timeseriesParams: These parameter controls how much data is used during anomaly detection and process of aggregating events into time series for each slice. forecastHistory parameter is amount of time in seconds and indicates how many points we include in time series during anomaly query. granularity parameter represents the fixed distance between consecutive time series points. This can be adjusted to lower values to capture recurring patterns. It also implicitly represents the width of aggregated window period in seconds. metric is the parameter of type numeric and its value is used for aggregation. Essentially this is the dimension that user is querying anomaly for.
- forecastParams: These parameters controls setting like sensitivity, seasonalities and horizon window etc. sensitivity specifies how sensitive the anomaly detection process is. It’s value must be in (0.0, 0.1] interval. Lower value indicates less sensitivity and results in lower anomalies and increasing its value results in high anomaly values as process becomes very sensitive. noiseThreshold represents the minimum difference between expected and actual values at detection time for given slice.
Note: There are more parameters available for creating your query payload. For full list of available parameters checkout resource section. I have only described some of these that have been used in code above.
Below is how a raw events timeseries is transformed to a new timeseries form where attribute values have been aggregated by time period 360 seconds. For the illustration purpose, it shows all the attributes but in reality time series will only contains the dimension used in metric field in the query payload.
Here is the query result for anomaly look like and in this you can see the internal time series that has been created. You can also turn off this history and just output the anomaly result in payload. These values at timestamps are aggregated value for temperature with window of granularity value set in the query payload. This can be customized and altered for each anomaly query by users to accommodate the seasonality and business requirements.
{'name': 'projects/pnishit-mlai/datasets/sensor_data_test',
'slices': [{'dimensions': [{'name': 'measure', 'stringVal': 'LTTH'}],
'history': {'point': [{'time': '2021-06-24T15:00:00Z', 'value': 2995.96},
{'time': '2021-06-24T15:30:00Z', 'value': 3180.5099999999998},
{'time': '2021-06-24T16:00:00Z', 'value': 3330.51},
{'time': '2021-06-24T16:30:00Z', 'value': 3468.07},
{'time': '2021-06-24T17:00:00Z', 'value': 3583.22},
{'time': '2021-06-24T17:30:00Z', 'value': 3672.84},
{'time': '2021-06-24T18:00:00Z', 'value': 3744.3500000000004},
{'time': '2021-06-24T18:30:00Z', 'value': 3813.61},
{'time': '2021-06-24T19:00:00Z', 'value': 3624.17},
{'time': '2021-06-24T19:30:00Z', 'value': 3935.7699999999995},
{'time': '2021-06-24T20:00:00Z', 'value': 3978.78},
{'time': '2021-06-24T20:30:00Z', 'value': 4022.67},
{'time': '2021-06-24T21:00:00Z', 'value': 4064},
{'time': '2021-06-24T21:30:00Z', 'value': 4103.86},
{'time': '2021-06-24T22:00:00Z', 'value': 4141.099999999999},
{'time': '2021-06-24T22:30:00Z', 'value': 4171.9800000000005},
{'time': '2021-06-24T23:00:00Z', 'value': 4206.53},
{'time': '2021-06-24T23:30:00Z', 'value': 4226.34},
{'time': '2021-06-25T00:00:00Z', 'value': 4172.81},
{'time': '2021-06-25T00:30:00Z', 'value': 4085.0400000000004},
{'time': '2021-06-25T01:00:00Z', 'value': 4013.5500000000006},
{'time': '2021-06-25T01:30:00Z', 'value': 3981.5299999999997},
{'time': '2021-06-25T02:00:00Z', 'value': 3955.63},
{'time': '2021-06-25T02:30:00Z', 'value': 3906.63},
{'time': '2021-06-25T03:00:00Z', 'value': 3846.0699999999997},
{'time': '2021-06-25T03:30:00Z', 'value': 3796.7999999999997},
{'time': '2021-06-25T04:00:00Z', 'value': 3758.2000000000003},
{'time': '2021-06-25T04:30:00Z', 'value': 3725.0299999999997},
{'time': '2021-06-25T05:00:00Z', 'value': 3692.67},
{'time': '2021-06-25T05:30:00Z', 'value': 3660.129999999999},
{'time': '2021-06-25T06:00:00Z', 'value': 3633.4300000000003},
{'time': '2021-06-25T06:30:00Z', 'value': 3610.93},
{'time': '2021-06-25T07:00:00Z', 'value': 3592.7699999999995},
{'time': '2021-06-25T07:30:00Z', 'value': 3568.870000000001},
{'time': '2021-06-25T08:00:00Z', 'value': 3548.359999999999},
{'time': '2021-06-25T08:30:00Z', 'value': 3508.33},
{'time': '2021-06-25T09:00:00Z', 'value': 3470.5899999999997},
{'time': '2021-06-25T09:30:00Z', 'value': 3436.9699999999993},
{'time': '2021-06-25T10:00:00Z', 'value': 3408.55},
{'time': '2021-06-25T10:30:00Z', 'value': 3391.9299999999994},
{'time': '2021-06-25T11:00:00Z', 'value': 3410.7200000000003},
{'time': '2021-06-25T11:30:00Z', 'value': 3450.05},
{'time': '2021-06-25T12:00:00Z', 'value': 3515.57},
{'time': '2021-06-25T12:30:00Z', 'value': 3603.83},
{'time': '2021-06-25T13:00:00Z', 'value': 3692.41},
{'time': '2021-06-25T13:30:00Z', 'value': 3773.9999999999995},
{'time': '2021-06-25T14:00:00Z', 'value': 3853.7},
{'time': '2021-06-25T14:30:00Z', 'value': 3923.61},
{'time': '2021-06-25T15:00:00Z', 'value': 3977.2799999999997},
{'time': '2021-06-25T15:30:00Z', 'value': 4009.2700000000004},
{'time': '2021-06-25T16:00:00Z', 'value': 4024.3199999999997},
{'time': '2021-06-25T16:30:00Z', 'value': 4041.01},
{'time': '2021-06-25T17:00:00Z', 'value': 4076.29},
{'time': '2021-06-25T17:30:00Z', 'value': 4104.429999999999},
{'time': '2021-06-25T18:00:00Z', 'value': 4120.57},
{'time': '2021-06-25T18:30:00Z', 'value': 4146.42},
{'time': '2021-06-25T19:00:00Z', 'value': 4178.8099999999995},
{'time': '2021-06-25T19:30:00Z', 'value': 4210.83},
{'time': '2021-06-25T20:00:00Z', 'value': 4245.74},
{'time': '2021-06-25T20:30:00Z', 'value': 4275.35},
{'time': '2021-06-25T21:00:00Z', 'value': 4296.56},
{'time': '2021-06-25T21:30:00Z', 'value': 4301.129999999999},
{'time': '2021-06-25T22:00:00Z', 'value': 4299.98},
{'time': '2021-06-25T22:30:00Z', 'value': 4319.23},
{'time': '2021-06-25T23:00:00Z', 'value': 4345.3},
{'time': '2021-06-25T23:30:00Z', 'value': 4326.54},
{'time': '2021-06-26T00:00:00Z', 'value': 4273.6},
{'time': '2021-06-26T00:30:00Z', 'value': 4212.950000000001},
{'time': '2021-06-26T01:00:00Z', 'value': 4156.549999999999},
{'time': '2021-06-26T01:30:00Z', 'value': 4116.820000000001},
{'time': '2021-06-26T02:00:00Z', 'value': 4081.8199999999997},
{'time': '2021-06-26T02:30:00Z', 'value': 4049.9899999999993},
{'time': '2021-06-26T03:00:00Z', 'value': 4022},
{'time': '2021-06-26T03:30:00Z', 'value': 4048.0999999999995},
{'time': '2021-06-26T04:00:00Z', 'value': 3968.9299999999994},
{'time': '2021-06-26T04:30:00Z', 'value': 3948.3800000000006},
{'time': '2021-06-26T05:00:00Z', 'value': 3927.44},
{'time': '2021-06-26T05:30:00Z', 'value': 3909.3899999999994},
{'time': '2021-06-26T06:00:00Z', 'value': 3895.73},
{'time': '2021-06-26T06:30:00Z', 'value': 3883.1},
{'time': '2021-06-26T07:00:00Z', 'value': 3882.58},
{'time': '2021-06-26T07:30:00Z', 'value': 3893.34},
{'time': '2021-06-26T08:00:00Z', 'value': 3891.4699999999993},
{'time': '2021-06-26T08:30:00Z', 'value': 3894.45},
{'time': '2021-06-26T09:00:00Z', 'value': 3896.4600000000005},
{'time': '2021-06-26T09:30:00Z', 'value': 3953.680000000001},
{'time': '2021-06-26T10:00:00Z', 'value': 3901.069999999999},
{'time': '2021-06-26T10:30:00Z', 'value': 3907.5699999999997},
{'time': '2021-06-26T11:00:00Z', 'value': 3929.04},
{'time': '2021-06-26T11:30:00Z', 'value': 3968.5},
{'time': '2021-06-26T12:00:00Z', 'value': 4018.16},
{'time': '2021-06-26T12:30:00Z', 'value': 4077.7299999999996},
{'time': '2021-06-26T13:00:00Z', 'value': 4134.67},
{'time': '2021-06-26T13:30:00Z', 'value': 4171.8099999999995},
{'time': '2021-06-26T14:00:00Z', 'value': 4189.67},
{'time': '2021-06-26T14:30:00Z', 'value': 4216.96},
{'time': '2021-06-26T15:00:00Z', 'value': 4262.1900000000005},
{'time': '2021-06-26T15:30:00Z', 'value': 4305.4},
{'time': '2021-06-26T16:00:00Z', 'value': 4338.31},
{'time': '2021-06-26T16:30:00Z', 'value': 4369.320000000001},
{'time': '2021-06-26T17:00:00Z', 'value': 4403.7},
{'time': '2021-06-26T17:30:00Z', 'value': 4435.98},
{'time': '2021-06-26T18:00:00Z', 'value': 4521.87},
{'time': '2021-06-26T18:30:00Z', 'value': 4478.610000000001},
{'time': '2021-06-26T19:00:00Z', 'value': 4474.28},
{'time': '2021-06-26T19:30:00Z', 'value': 4470.839999999999},
{'time': '2021-06-26T20:00:00Z', 'value': 4482.829999999999},
{'time': '2021-06-26T20:30:00Z', 'value': 4490.8099999999995},
{'time': '2021-06-26T21:00:00Z', 'value': 4490.0199999999995},
{'time': '2021-06-26T21:30:00Z', 'value': 4480.2},
{'time': '2021-06-26T22:00:00Z', 'value': 4460.11},
{'time': '2021-06-26T22:30:00Z', 'value': 4445.86},
{'time': '2021-06-26T23:00:00Z', 'value': 4429.5},
{'time': '2021-06-26T23:30:00Z', 'value': 4411.9},
{'time': '2021-06-27T00:00:00Z', 'value': 4398.25},
{'time': '2021-06-27T00:30:00Z', 'value': 4372.870000000001},
{'time': '2021-06-27T01:00:00Z', 'value': 4341.87},
{'time': '2021-06-27T01:30:00Z', 'value': 4368.8},
{'time': '2021-06-27T02:00:00Z', 'value': 4283.039999999999},
{'time': '2021-06-27T02:30:00Z', 'value': 4259.9800000000005},
{'time': '2021-06-27T03:00:00Z', 'value': 4239.389999999999},
{'time': '2021-06-27T03:30:00Z', 'value': 4229.23},
{'time': '2021-06-27T04:00:00Z', 'value': 4223.23},
{'time': '2021-06-27T04:30:00Z', 'value': 4216.63},
{'time': '2021-06-27T05:00:00Z', 'value': 4203.12},
{'time': '2021-06-27T05:30:00Z', 'value': 4180.82},
{'time': '2021-06-27T06:00:00Z', 'value': 4169.47},
{'time': '2021-06-27T06:30:00Z', 'value': 4152.599999999999},
{'time': '2021-06-27T07:00:00Z', 'value': 4136.5},
{'time': '2021-06-27T07:30:00Z', 'value': 4128.530000000001},
{'time': '2021-06-27T08:00:00Z', 'value': 4119.19},
{'time': '2021-06-27T08:30:00Z', 'value': 4100.19},
{'time': '2021-06-27T09:00:00Z', 'value': 4085.1599999999994},
{'time': '2021-06-27T09:30:00Z', 'value': 4141.089999999999},
{'time': '2021-06-27T10:00:00Z', 'value': 4097.710000000001},
{'time': '2021-06-27T10:30:00Z', 'value': 4102.32},
{'time': '2021-06-27T11:00:00Z', 'value': 4105.12},
{'time': '2021-06-27T11:30:00Z', 'value': 4118.86},
{'time': '2021-06-27T12:00:00Z', 'value': 4134.59},
{'time': '2021-06-27T12:30:00Z', 'value': 4156.07},
{'time': '2021-06-27T13:00:00Z', 'value': 4184.75},
{'time': '2021-06-27T13:30:00Z', 'value': 4224.679999999999},
{'time': '2021-06-27T14:00:00Z', 'value': 4276.73},
{'time': '2021-06-27T14:30:00Z', 'value': 4324.28},
{'time': '2021-06-27T15:00:00Z', 'value': 4365.74}]},
'forecast': {'point': [{'time': '2021-06-27T15:00:00Z',
'value': 4910.465311007107}]},
'detectionPointActual': 4365.74,
'detectionPointForecast': 4910.465311007107,
'expectedDeviation': 310.28363664899683,
'anomalyScore': 1.511934641477489,
'status': {}}]}The result output has a lot of information. First, we see the timeseries built by the API based on your query payload. We also see the forecasted value and actual value of the metric at the detection time. Two main piece of information are expectedDeviation and anomalyScore which are describe below. You can use these to finally calculate the anomaly for given detection time for your data. Since the anomaly score is greater than 1.0 and difference between expected and actual temp values are significant enough, we will consider this as an anomaly for given detection time.
For each query, there are few things in the result.
- detectionPointActual this is the value of timeseries attrbitue that you queried for (metric = temperature in this case). This is the actualy value (aggregated) at the
detectionTime. - detectionPointForecast is the forecasted value at the `detectionTime` for timeseries attribute.
- expectedDeviation indicated the confidence level in the forecasting values. It specifies the absolute deviation from the forecsted value by the API.
- anomalyScore you can think of this as actual deviation between forecasted value and actual value at
detetionTime. If this value is higher then we consider a slice to be an anomaly. In other word, this score indicates how far actual deviation is from expected deviation.
In general, scores lower than 1.0 reflect variations that are common considering the history of the slice, while scores higher than 1.0 should require attention, with higher scores representing more severe anomalies.This result can be consumed in downstream application for business purpose.
Again interpreting the anomaly score and expected deviation is relative and can depend on use case therefore a particular value of these that result in anomaly for one use case might not be an anomaly for other use case.
As you can see how easy and quick it is to do real time anomaly detection without any training effort or custom modeling. Once the dataset is ready, users can quickly analyze it for anomaly detection and large scale and low latency forecasting.
In this tutorial, we have covered how to create dataset from historical dataset and how to query for anomaly and time series forecasting. In the next part of this blog I will cover how to add data to an existing dataset in real time streaming fashion and perform detection on same. Stay tuned for part — II
