我想创建一个警报,当今天的日志数量比每项服务过去三天的平均值多10%时触发。
对于一项特定服务,我可以使用下一个
index="some-index" AND "ctx.endpointname"="service-name" earliest=-3d@d |
timechart span=1d count |
timewrap d series=short |
eval threshold=(((s1+s2+s3)/3)+(((s1+s2+s3)/3)*0.1))'
但是当我添加by ctx.endpointname
index="some-index" AND "ctx.endpointname"=* earliest=-3d@d |
timechart span=1d count by ctx.endpointname|
timewrap d series=short |
eval threshold=(((s1+s2+s3)/3)+(((s1+s2+s3)/3)*0.1))'
结果字段名称:
service-name_s0
service-name_s1
service-name_s2
service-name_s3
我无法计算阈值,因为我不知道如何为每个服务引用此字段
答案 0 :(得分:0)
index =“ some-index”和“ ctx.endpointname” =“服务名称”最早= -3d @ d最新= @ d | addinfo | eval orig_time = strftime(_time,“%H:%M:%S”)| eval min_time = info_min_time |铲斗跨度= 1440m info_min_time |评估偏移量= min_time-info_min_time |评估_time = _time-offset |铲斗跨距= 1440m _time |评估_time = _time + offset | eval min_time = strftime(min_time,“%H:%M:%S”)| eval info_min_time = strftime(info_min_time,“%H:%M:%S”)|铲斗_time span = 1440m |统计信息在_time |之前计为current_count自动回归current_count作为previous_count | eval total_count =(current_count + previous_count)|流统计信息计为行|评估更改=(当前计数-上一个计数)| eval ChangePercent =(更改/总计)* 100 |字段_time,current_count,previous_count,更改,ChangePercent,行|其中current_count> x AND ChangePercent> 10 AND row = 2
请使用上面的查询并更改当前计数,您将获得所需的结果。