I am trying to detect if any of the server in farm decrease in performance. I can see performance going down as the number of logs go down by using the following query:
index=xxx | timechart span=5m count as event_count by host
Plotting into a graph and I can see one of the lines going down and I can say the performance goes down.
I am trying to use the results of the query above to find any host event count is below 2 stdev for past 10 minutes, but doesn't seem like I can use event_count for subsequence pipes. Is there anyway to achieve this?