I am trying to monitor a log and alert when a certain value spikes higher than usual.
trendline seems to be useful here.
Something like
|stats count, avg(concurrent_user) as user_count by date_minute, date_second |trendline sma10(user_count) as user_count_moving_average
can provide both single value in user_count and a moving average.
How can I set up an alert that can compare the two values, so that if the single value is much greater than the moving average?
I can calculate moving average of different periods and make the comparison as well. I get the search right, but the custom condition on alert setup is baffling me.
... View more