I am trying to monitor a log and alert when a certain value spikes higher than usual.
trendline seems to be useful here.
Something like
|stats count, avg(concurrent_user) as user_count by date_minute, date_second |trendline sma10(user_count) as user_count_moving_average
can provide both single value in user_count and a moving average.
How can I set up an alert that can compare the two values, so that if the single value is much greater than the moving average?
I can calculate moving average of different periods and make the comparison as well. I get the search right, but the custom condition on alert setup is baffling me.
use the where class to find your matching records, something like this,
|stats count, avg(concurrent_user) as user_count by date_minute, date_second |trendline sma10(user_count) as user_count_moving_average | where user_count_moving_average <=count
in the saved search schedule it when more than one events presents.
Hope this will helps you.
I know it's been a long time since you answered, but your answer helped me at least, well done!