Data Prepper - Additional Information about Anomaly Detector Processor

[canob]

I’m trying to understand all the features of Anomaly Detector Processor of Data Prepper, but after reviewed the documentation and install it and do some tests, I have some questions:

• Is the anomaly computed on all the fields that are part of the log, or how can I configure what fields are going to be used by the anomaly detection model?
  For example, for this log line:
  {“count_qname”:14,“source_ip”:“10.199.0.40”,“tag”:“dns_metrics_query_by_qname_by_ip_1m”,“qname”:“chat.google.com”}
  Is the anomaly being computed for the tuple source_ip and qname (the tag is going to be always the same)? I’m using as key count_qname.
  And for this one?
  {“tag”:“dns_metrics_query_by_qname_5m”,“qname”:“chat.google.com”,“count_qname”:5}
  How the anomaly calculation is persisted between docker restarts?
• Is it possible not to overwrite the File Output every time docker restarts? Because every time I restart the docker container of Data Prepper the output file is deleted/overwritten.
• Any blog post or additional documentation I can read to understand this processor better?

My Configuration:
FluentBit HTTP Output → Data Preper HTTP Input → Anomaly Detector Processor → File Output

Thanks in advance for your help.

[canob]

Anyone who can give me more information about Anomaly Detector Processor of Data Prepper?