Before we get into the detail of where the results are stored and what they look like at a document level, we need to understand that the results from ML jobs are presented at three different levels of abstraction:

• The bucket level: This level summarizes the results of the entirety of the ML job per time bucket. Essentially, it is a representation of how unusual that time bucket is, given the configuration of your job. If your job has multiple detectors, or splits in the analysis resulting in results for possibly many entities simultaneously, then each bucket level result is an aggregated representation of all of those things.
• The record level: This is the most detailed information about each and every anomalous occurrence or anomalous entity within a time bucket. Again, depending on the job configuration (multiple detectors, splits, and so on), there can be many record-level documents per time bucket.
• The influencer level: This is used to better understand the most unusual entities (influencers) within a timespan.

In general, and as we will see through the examples that are given later in this chapter, leveraging these different levels of abstraction can be useful for different kinds of Alerting, such as summary alerts, detailed alerts, and so on.

Getting actual access to the results means having to implement one of two methods:

• Using the ML /results API
• Querying the results indices that ML creates in Elasticsearch

The method that's chosen is up to the user. In general, directly querying the results indices offers more flexibility and is more common than using the results API, so we will focus our discussions on understanding the results indices and the different kinds of documents therein.