Machine learning anomaly detection in Elasticsearch - Time & Space Complexity

When using machine learning for anomaly detection in Elasticsearch, it is important to understand how the time taken grows as the data size increases.

We want to know how the processing time changes when we analyze more data points.

Analyze the time complexity of the following Elasticsearch anomaly detection job configuration.

POST _ml/anomaly_detectors/job_id/_start
{
  "datafeed_config": {
    "indices": ["logs"],
    "query": { "match_all": {} }
  },
  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [{ "function": "mean", "field_name": "response_time" }]
  }
}
    

This code starts an anomaly detection job that scans all log entries to find unusual average response times in 15-minute buckets.

Identify the loops, recursion, array traversals that repeat.

• Primary operation: Scanning and aggregating data points in fixed time buckets.
• How many times: Once per bucket, covering all data points in that bucket.

As the number of data points grows, the job processes more buckets or more points per bucket.

Input Size (n)	Approx. Operations
10,000 data points	~10,000 operations (each point processed once)
100,000 data points	~100,000 operations
1,000,000 data points	~1,000,000 operations

Pattern observation: The operations grow roughly in direct proportion to the number of data points.

Time Complexity: O(n)

This means the time to detect anomalies grows linearly with the number of data points analyzed.

[X] Wrong: "The anomaly detection runs instantly no matter how much data there is."

[OK] Correct: The job must look at each data point to find unusual patterns, so more data means more work and more time.

Understanding how data size affects machine learning tasks like anomaly detection helps you explain system behavior and design efficient solutions.

"What if we changed the bucket span from 15 minutes to 1 minute? How would the time complexity change?"