I have searched a lot and haven't found a straight answer to this, yet.
I want to create an alert on spikes of load for two hosts. To do this, I am comparing minutes. Ignoring the current minute, as its data is incomplete, I am comparing the previous minute with the one before that. If there is a large spike in the two results, I want to trigger an alert. Currently, I am struggling comparing the two values as they are just in a table. Is there a better way to approach this? Thank you.
This is what I have so far:
index=web host=*EXP0* earliest=@m-2m latest=@m | bucket _time span=1m | stats count by _time
... View more