I have a field that should be increasing - though not monotonically increasing.
I want to alert if the number gets smaller. Here's my attempt at this.
index="myindex" | stats max(a) as maxnum | where a < maxnum
That doesn't find it because the number never decreases below 101. However, even if I change the query, it doesn't find any rows!
index="myindex" | stats max(a) as maxnum | where a < (maxnum-100)
Obviously, that doesn't do what I want. But it was an interesting diagnosis. I was inspired by this question, but I can't change it to do what I want. Can/should I do this with a subsearch?
You might be able to do this with "delta" search operator.
Basically, do a search similar to:
index="myindex" | delta a as a_delta | where a_delta < 0
View solution in original post
delta is precisely what I needed. Streamstats might too, but delta was even easier!
You could do it with streamstats too, but delta is the simplest approach.