Hi guys,
I am making a really cool alert to identify drops in traffic.
At the moment I am searching over a 10 minute period, putting the first 5 minutes in one bucket and the second 5 minutes in a second bucket and calculating the difference. Then defining a threshold.
It works ok but I want to make it better by dividing the count into three buckets instead of two. So I would have an earliest, middle, and latest bucket. Then set a condition along the likes of, middle count is x amount less than the earliest count and latest count is x amount less than middle count (and first condition is true), then trigger an alert.
This is what I have at the moment. Only two buckets.
index=blah earliest=-11m@m latest-1m@m | bucket span=5m _time
| stats count by _time, Platform, Check
| streamstats window=2 global=f current=f first(count) as p_count by Platform Check
| eval difference=count-p_count
| eval pc_difference=abs(round(difference/(count+abs(difference))*100,0))
| sort str(Platform) str(Check)
| search difference < 0
And a pretty complicated condition to eliminate white noise.
| where (pc_difference=100) OR (pc_difference>70 AND p_count>20)
OR (pc_difference>90 AND p_count>20 AND count<5)
What do I need to to introduce a third bucket. Ideally I want to bucket the count as the earliest, middle, and latest count and assign fields to each count. Then make calculations on the three fields.
I was thinking something like this.
index=blah earliest=-10m@m latest-1m@m | bucket span=3m _time
| stats count by _time, Platform, Check
| streamstats window=3 global=f current=f
first(count) as p_count latest(count) as m_count last(count) as l_count by Platform Check
| ....
and so on but I think this is flawed. I can't seem to find a way to put the earliest, middle, and latest into three fields.
i would very much appreciate some help here.
Cheers,
Tommy boi
... View more