I have metrics that are basically
_time host1 monitor_count=2
_time host1 monitor_count=1
This is over different hosts and dynamic monitor_count values. What I want to do is make a query that counts the amount of times the monitor_count depreciated over a given time range.
So if host 1 throttles back and forth between 2 and 1, how many times did that happen?
I'm trying many options of streamstats with window=2 earliest(monitor_count) as prev_count by host, but that doesn't seem to be working. When it drops from 2 to 1, a 1 is recorded for previous and current to that time range.
Try something like this
| sort 0 _time | streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host
That just returns the current value as the window is 1 and current is false.
I could never get streamstats to work so ended up using a join so set the monitor cap. Its not optimal, but can't figure out why streamstats cant compare 2 numeric values in a window of 2.
Here is a runanywhere example showing that prev_count is the count from the previous host.
| gentimes start=-1 increment=1h | rename starttime as _time | eval monitor_count=random()%10 | eval host=mvindex(split("ABC",""),random()%3) | streamstats current=f window=1 earliest(monitor_count) as prev_count global=f by host | fields _time host monitor_count prev_count