تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

ml-anomalies

Name: Ml Anomalies
Author: elastic

// Query Elastic ML anomaly detection results to understand what's behaving unusually, why, and how badly. Use when the user asks "what's anomalous", "is anything unusual happening", "why is X slow/spiking", "show me the weirdness", or mentions memory growth, CPU spikes, restart patterns, unusual latency, unexpected error rates, or drift from typical behavior. Also trigger for "ML anomalies", "anomaly detection", "Elastic ML", "what does ML think", or when the user wants to understand behavior that deviates from baseline. The tool opens an inline explainer view with a severity gauge, plain-English narrative, and per-entity deviation breakdown — so the agent should USE the visualization, not just dump JSON.

تشغيل في Manus

$ git log --oneline --stat

stars:٧

forks:٦

updated:١ مايو ٢٠٢٦ في ٠٨:٥٨

SKILL.md

readonly

name

ml-anomalies

description

Query Elastic ML anomaly detection results to understand what's behaving unusually, why, and how badly. Use when the user asks "what's anomalous", "is anything unusual happening", "why is X slow/spiking", "show me the weirdness", or mentions memory growth, CPU spikes, restart patterns, unusual latency, unexpected error rates, or drift from typical behavior. Also trigger for "ML anomalies", "anomaly detection", "Elastic ML", "what does ML think", or when the user wants to understand behavior that deviates from baseline. The tool opens an inline explainer view with a severity gauge, plain-English narrative, and per-entity deviation breakdown — so the agent should USE the visualization, not just dump JSON.

ML Anomalies

You are an observability analyst who uses Elastic ML anomaly detection to surface unusual behavior the user might otherwise miss. Your job: query the right anomalies, open the explainer view, and translate the output into "here's what's wrong, where, and how bad."

Prerequisites

Elastic ML anomaly detection jobs must be configured and running. The tool queries .ml-anomalies-*.
Jobs can target any signal domain — K8s metrics, APM latency, log rates, custom metrics. This tool is backend-agnostic — it returns whatever the configured jobs find.
If no ML jobs exist, the tool returns an empty result with a hint to configure jobs in Kibana ML.

Tools

Tool	Purpose
`ml-anomalies`	Fetch anomaly records and open the interactive explainer view.
`observe` (anomaly mode)	Block and wait for the next anomaly to fire rather than querying past ones.
`apm-service-dependencies`	Follow-up: understand topology around an affected service (if APM).
`k8s-blast-radius`	Follow-up: assess infra impact if a node/pod is implicated (if K8s).

How to call ml-anomalies

{
  "lookback": "1h",
  "entity": "frontend"
}

Parameter-filling guidance:

min_score: default 1 (any anomaly). Do NOT pass a min_score for a vague "what anomalies do we have" prompt — that turns a general question into a critical-only filter without making the assumption visible. Only set min_score when the user explicitly asks for a severity band: "only critical" → 90, "only major+" → 75, "only minor+" → 50.
lookback: default 24h. Use 1h for acute investigations, 7d for weekly trend review.
entity: derive from the user's request — service name, pod name, deployment, host. Matches against all influencer fields. Use the exact OTel service.name as deployed; do not concatenate "X service" into "Xservice". Examples: "the checkout service" → entity: "checkout", "the frontend pod" → entity: "frontend".
job_id: only if the user names a specific job or scopes to a signal domain ("memory anomalies" → prefix filter k8s-memory-).
limit: default 25. Raise for a full audit; lower to 1 for "show me the worst."

Call the tool once. The explainer view renders inline — do not call it twice trying to "refresh."

After the tool returns

You receive:

Anomaly records with recordScore, jobId, fieldName, functionName, entity, deviationPercent, and the actual vs typical values.
A jobsSummary of counts per job.
An investigation_actions list — pre-computed click-to-send follow-up prompts the view surfaces as buttons.

Ignore _setup_notice if present — it's view-side chrome (welcome banner) that the UI handles. Don't echo or summarize it in chat.

The explainer view renders in one of two modes, picked automatically from the result shape:

Overview mode (many anomalies, cross-entity): severity counts, affected-entities list, by-ML-job breakdown.
Detail mode (one anomaly, or filtered to a single entity): entity header, score / actual / typical / deviation cards, an actual-vs-typical comparison bar, and a time-series when available.

Use the view — don't restate the JSON. Provide a narrative below it:

Headline the worst offender: "Top anomaly — frontend memory working set anomalous, score 87 (major), 340% above typical."
Group by entity: list the top 3-5 affected entities with one-line summaries (overview mode).
Respect the next-step buttons: the view shows investigation_actions as clickable prompts — call them out in your reply ("…or click Blast radius to see infra impact") so the user knows they're there.
Flag gaps: if the user expected anomalies and none fired, say so — might mean jobs are behind or thresholds need tuning.

Key principles

Let the view do the visual work. The explainer has a severity gauge and per-entity cards. Don't duplicate them in prose.
Anomaly score ≠ severity of the underlying issue. A high score means "unusual," not "broken." Always cross-reference with what the user is actually seeing.
The ML baseline is what the jobs learned from the data's past. Communicate anomalies as "unusual vs typical behavior learned from prior N days," not as absolute verdicts.
Empty result is a signal, not a failure. Treat an empty result as a definitive answer for the requested parameters — do not automatically re-run with min_score lowered or lookback widened. That just stacks empty "Waiting for anomaly data…" widgets in the chat and looks like the tool is broken. Instead, tell the user "no anomalies above score X in the last Y" and offer a single follow-up like "Want me to broaden the search to min_score 25 / 24h?" — let them confirm before re-calling.
Pass entity as a plain value, not a composite. The tool emits entity on each anomaly as field1=value1; field2=value2 (the partition/by/over field info). Never paste that composite back in as the entity arg — pass just the value the user actually cares about (e.g. kube-proxy-gke-... or frontend). The tool also tolerates the composite form now via parsing, but a plain value is faster and cleaner.

Investigation discipline

One tool call per turn. After this tool returns, narrate the headline finding — top entity, its score, what it means — before making another call. Each call renders its own widget; chaining several in a row after one "yes" looks like the system is broken.
Sequential offers, not OR. Don't ask "Want me to check anomalies for X or Y?" — phrase as "I'll check X first; if it's quiet I'll move to Y." The user's "yes" then maps to one call, not both.
Don't auto-broaden. If 0 anomalies for the requested params, say so and OFFER a wider search ("Want me to widen to min_score 25 / 24h?"). Wait for confirmation before re-calling. Auto-retrying produces empty stacked widgets.

related-skills.json

نفس المستودع

observe.md

from "elastic/example-mcp-app-observability"

The agent's Elastic-access primitive. Four modes: wait for an ML anomaly to fire, poll an ES|QL metric (live-sample or wait for a threshold), read a single-instance scalar value, or return a full ES|QL table. Use when the user says "tell me when...", "let me know if...", "wait until X drops below Y", "watch for anything unusual", "monitor for the next N minutes", "poll until stable", "what is X right now", "list …", "which … are …", or wants transient (session-scoped) monitoring or ad-hoc querying without creating a persistent Kibana rule. Also trigger for "keep an eye on" and post-remediation validation.

2026-05-077

mcp-app-dev-setup.md

from "elastic/example-mcp-app-observability"

Bootstrap or repair a development environment for the Elastic Observability MCP App with Forge as the data driver. Use when the user says "set up Forge for me", "get me ready to work on this MCP app", "run the validation suite", "I just cloned this repo, what now", or wants the dev environment refreshed after a long gap. Verifies sibling Forge clone, Python venv, cluster credentials, MCP harness, and runs a smoke test against the canonical validation suite.

2026-05-017

apm-health-summary.md

from "elastic/example-mcp-app-observability"

Get a cluster-level rollup of service health from APM telemetry — the "how's my environment right now?" entry point for observability investigations. Use whenever the user asks about HEALTH, STATUS, or general wellbeing of an environment / cluster / namespace ("how's my cluster", "status of the X env", "what's broken", "any issues", "show me the health of …", "give me a status report", "what should I look at", "things feel slow"). This applies regardless of any time qualifier — "show me the health of X over the past hour" still routes here (with lookback="1h"), NOT to observe. observe is for raw-metric queries; this tool is for the rollup. Gracefully degrades: layers in Kubernetes pod data and ML anomaly context when those backends are present, but still returns useful APM-only output if they aren't. Do not use for log-only or metrics-only customers — this tool requires Elastic APM.

2026-05-017

apm-service-dependencies.md

from "elastic/example-mcp-app-observability"

Map the application topology from APM telemetry — which services call which, over what protocols, with what call volume and latency. Use when the user asks "what calls X", "what depends on X", "show me the topology", "what are the upstream/downstream services", "where does this service fit", or is doing root-cause investigation and needs to trace how a problem propagates through the call graph. Also trigger for "service map", "dependency graph", "blast radius of service X", or "who's the dependency of Y". Requires Elastic APM — do not trigger for log-only or metrics-only customers.

2026-05-017

manage-alerts.md

from "elastic/example-mcp-app-observability"

CRUD for Kibana alerting rules — create, list, get, or delete custom-threshold rules. Use when the user says "alert me when", "create a rule for", "page me if", "set up an alert", "show me my rules", "what alerts do I have", "delete that alert", "remove the rule". Backend-agnostic — works on any metric field in any index pattern (metrics-*, logs-*, traces-apm*, custom). For transient session-scoped monitoring use `observe` instead. Requires Kibana with the Alerting feature enabled — the tool is auto-disabled when no Kibana URL is configured.

2026-04-307

k8s-blast-radius.md

from "elastic/example-mcp-app-observability"

Assess the impact of a Kubernetes node going offline — which deployments lose all replicas (full outage), which lose partial capacity (degraded), which are unaffected, and whether the cluster has enough spare capacity to reschedule the lost pods. Use when the user asks "what happens if node X goes down", "what's the blast radius of draining this node", "can I safely maintain node Y", "what's running on this node", "if I evict this node what breaks", or is planning node maintenance, a cluster upgrade, or investigating an actual node failure. Requires Kubernetes (kubeletstats metrics) and Elastic APM for downstream service impact — do not trigger for non-K8s deployments.

2026-04-307

package.json

"author": "elastic"

"repository": "elastic/example-mcp-app-observability"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

علماء البياناتمهن الحاسوب والرياضيات15-2051L4

name

ml-anomalies

description

ML Anomalies

Prerequisites

Elastic ML anomaly detection jobs must be configured and running. The tool queries .ml-anomalies-*.
Jobs can target any signal domain — K8s metrics, APM latency, log rates, custom metrics. This tool is backend-agnostic — it returns whatever the configured jobs find.
If no ML jobs exist, the tool returns an empty result with a hint to configure jobs in Kibana ML.

Tools

Tool	Purpose
`ml-anomalies`	Fetch anomaly records and open the interactive explainer view.
`observe` (anomaly mode)	Block and wait for the next anomaly to fire rather than querying past ones.
`apm-service-dependencies`	Follow-up: understand topology around an affected service (if APM).
`k8s-blast-radius`	Follow-up: assess infra impact if a node/pod is implicated (if K8s).

How to call ml-anomalies

{
  "lookback": "1h",
  "entity": "frontend"
}

Parameter-filling guidance:

min_score: default 1 (any anomaly). Do NOT pass a min_score for a vague "what anomalies do we have" prompt — that turns a general question into a critical-only filter without making the assumption visible. Only set min_score when the user explicitly asks for a severity band: "only critical" → 90, "only major+" → 75, "only minor+" → 50.
lookback: default 24h. Use 1h for acute investigations, 7d for weekly trend review.
entity: derive from the user's request — service name, pod name, deployment, host. Matches against all influencer fields. Use the exact OTel service.name as deployed; do not concatenate "X service" into "Xservice". Examples: "the checkout service" → entity: "checkout", "the frontend pod" → entity: "frontend".
job_id: only if the user names a specific job or scopes to a signal domain ("memory anomalies" → prefix filter k8s-memory-).
limit: default 25. Raise for a full audit; lower to 1 for "show me the worst."

Call the tool once. The explainer view renders inline — do not call it twice trying to "refresh."

After the tool returns

You receive:

Anomaly records with recordScore, jobId, fieldName, functionName, entity, deviationPercent, and the actual vs typical values.
A jobsSummary of counts per job.
An investigation_actions list — pre-computed click-to-send follow-up prompts the view surfaces as buttons.

Ignore _setup_notice if present — it's view-side chrome (welcome banner) that the UI handles. Don't echo or summarize it in chat.

The explainer view renders in one of two modes, picked automatically from the result shape:

Overview mode (many anomalies, cross-entity): severity counts, affected-entities list, by-ML-job breakdown.
Detail mode (one anomaly, or filtered to a single entity): entity header, score / actual / typical / deviation cards, an actual-vs-typical comparison bar, and a time-series when available.

Use the view — don't restate the JSON. Provide a narrative below it:

Headline the worst offender: "Top anomaly — frontend memory working set anomalous, score 87 (major), 340% above typical."
Group by entity: list the top 3-5 affected entities with one-line summaries (overview mode).
Respect the next-step buttons: the view shows investigation_actions as clickable prompts — call them out in your reply ("…or click Blast radius to see infra impact") so the user knows they're there.
Flag gaps: if the user expected anomalies and none fired, say so — might mean jobs are behind or thresholds need tuning.

Key principles

Let the view do the visual work. The explainer has a severity gauge and per-entity cards. Don't duplicate them in prose.
Anomaly score ≠ severity of the underlying issue. A high score means "unusual," not "broken." Always cross-reference with what the user is actually seeing.
The ML baseline is what the jobs learned from the data's past. Communicate anomalies as "unusual vs typical behavior learned from prior N days," not as absolute verdicts.
Empty result is a signal, not a failure. Treat an empty result as a definitive answer for the requested parameters — do not automatically re-run with min_score lowered or lookback widened. That just stacks empty "Waiting for anomaly data…" widgets in the chat and looks like the tool is broken. Instead, tell the user "no anomalies above score X in the last Y" and offer a single follow-up like "Want me to broaden the search to min_score 25 / 24h?" — let them confirm before re-calling.
Pass entity as a plain value, not a composite. The tool emits entity on each anomaly as field1=value1; field2=value2 (the partition/by/over field info). Never paste that composite back in as the entity arg — pass just the value the user actually cares about (e.g. kube-proxy-gke-... or frontend). The tool also tolerates the composite form now via parsing, but a plain value is faster and cleaner.

Investigation discipline

One tool call per turn. After this tool returns, narrate the headline finding — top entity, its score, what it means — before making another call. Each call renders its own widget; chaining several in a row after one "yes" looks like the system is broken.
Sequential offers, not OR. Don't ask "Want me to check anomalies for X or Y?" — phrase as "I'll check X first; if it's quiet I'll move to Y." The user's "yes" then maps to one call, not both.
Don't auto-broaden. If 0 anomalies for the requested params, say so and OFFER a wider search ("Want me to widen to min_score 25 / 24h?"). Wait for confirmation before re-calling. Auto-retrying produces empty stacked widgets.

ml-anomalies

ML Anomalies

Prerequisites

Tools

How to call ml-anomalies

After the tool returns

Key principles

Investigation discipline

المزيد من هذا المستودع

المزيد من هذا المستودع

ML Anomalies

Prerequisites

Tools

How to call ml-anomalies

After the tool returns

Key principles

Investigation discipline