I've searched around, but failed to come up with an answer to the problem I'm facing:
My data set contains events that correspond to different categories. I'd like to find the counts of these events for each category per day, and then pick out spikes in each of these counts (a spike could be defined as three times the 5-point moving average).
Here's an example search that picks out the number of events for all categories [the category field is bg]:
index=bg_data earliest=-1y bg="*" | timechart span=1d count(start_time) as num_events by bg
And here's an example search that detects spikes for a single category at a time:
index=bg_data earliest=-1y bg="test_bg" | timechart span=1d count(start_time) as num_events | trendline sma5(num_events) as moving_avg | eval spike=if(num_events > 3 * moving_avg, 500, 0) | search spike>0
I've tried using join, or map, and other search tricks, but I have yet to find a way of combining the above 2 searches. What I'd like is a way to set up an alert that fires each time a spike is detected for the previous 24 hours of events, and a table that displays all spikes. For example, it might be something like:
_time | category_a_spike | category_b_spike | category_c_spike
day 1 | ...
day 2 | ...
day 3 | ...
where "category_x_spike" is the value of the spike for that particular category.
... View more