In my rule I’m alerting on a stream if count of points in it decreased (where each point stands for an alive server along with its metadata). I do this by having 2 similar streams + window nodes, where for the second stream its window is extended and contains two periods of data:
var data = stream
|from()
.measurement(measurement)
var current_period_agents = data
|window()
.period(window_period)
.every(window_every)
.align()
var current_period_agents_count = current_period_agents
|count('status_code')
var extended_period_agents = data
|window()
.period(extended_window_period)
.every(window_every)
.align()
var extended_period_agents_count = extended_period_agents
|count('status_code')
var stats = extended_period_agents_count
|join(current_period_agents_count)
.as('extended_period', 'current_period')
|eval(lambda: "extended_period.count" - "current_period.count")
.as('previous_period.count')
.keep()
|eval(lambda: "previous_period.count" - "current_period.count")
.as('current_period.count_delta')
.keep()
|alert()
.crit(lambda: "current_period.count_delta" > 0)
This way I can detect the decrease event. But what I additionally want, is to include the details of that decrease - what exactly has disappeared in the current data. For that I’d need to calculate a difference between two sets:
- first the diff
past_period_agents = extended_period_agents - current_period_agents- to get bare data for the past period - second the diff
past_period_agents - current_period_agentsomitting the data’s timestamps - to find the data which was in the past period, but has gone in the current period.
Having such alert details would simplify any further human analysis and processing of an alert. But I’ve no idea how to achieve that, also considering some previously submitted question - Reference other node's data in alert() details of the current node.
Any suggestions would be highly appreciated. Thanks!
