Hi, I have events that are generated throughout the day based on API processing. These events are available in Elastic and are generated throughout the day. I am trying to figure out a way to create an alert when the number of events generated for the last hour is less than 30% when compared to the events generated for the same time period on the previous day.
For example:
11/15/2022 10-11AM: 2000 events
11/15/2022 11-12PM: 1500 events
and so on
11/16/2022 10-11AM: 2500 events
11/16/2022 11-12PM: 150 events (I want to alert for this data as the events generated are far less when compared to the same time on 11/15 - only 10%)
I was thinking of using derivative aggregation but since the time ranges that are being compared are not immediate ones, that doesn't seem to be an option. I appreciate any help or pointers in resolving this. Many thanks!
A couple thoughts, although I'm not sure there's an easy way to do exactly what you want.
My first thought is this is exactly what a single metric anomaly detection job does... It will learn the normal behavior of your API events and then create an anomaly which you can turn into an alert. When the behavior is not normal as compared to its learned baseline.
So if you have it daily / weekly cycles etc it will learn that and then alert when it does not match.
In Lens visualization you can graph exactly the formula.. you can create a graph using the formula and shift function...
Unfortunately today you cannot turn that directly into an alert but you'd be able to see it.
I'm poking around to see if formulas are coming to alerts.
You could probably write a watcher to do this, but would probably be quite complex and not my area of expertise.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.