Comparing values percentually

[lufimoreira94]

Hi. I'm trying to create a rule that triggers when a duration is 150% above the average time of the last 10 minutes, grouped by an Id. I created an elasticsearch transform to facilitate this process, in which it returns that average time grouped by said Id.
What I'm missing is how to compare those values percentually.

Here's a simple example in case I didn't explain it well:
Imagine that in the last 10 minutes there are 5 logs where 'labels.db_statement_encoded' is defined as "1234", and each duration is, respectively, 2, 4, 3, 2, 4. Then, the average duration would be 3. After that, another log with labels.db_statement_encoded equal to "1234" comes with a duration of 4. That should not trigger the rule, since 4 is lower than 150% of the previous average. But if the duration were to be 6, then it would trigger, since it would be 200% of the average duration of the last 10 minutes.

Long story short, I need to know when X number is 150% or more the value of Y.

Thanks in advance!

[jertel]

Perhaps the Spike Aggregation rule type will solve your needs. Documentation is online at https://elastalert2.readthedocs.io/en/latest/ruletypes.html#spike-aggregation.

[lufimoreira94]

Thanks, that sounds right. I created this rule:

`name: "Under Performance Error Alert v2"
type: spike_aggregation
is_enabled: true

index: ".ds-traces-apm-default-*"

filter:

• term:
  processor.event: "span"
• term:
  span.type: "db"

metric_agg_key: span.duration.us
metric_agg_type: avg
query_key: labels.db_statement_encoded

spike_height: 1
spike_type: up

threshold_cur: 1
#min_doc_count: 5

timeframe:
minutes: 1
buffer_time:
minutes: 1

alert:

• "post"

http_post_url: "https://dsads.wiremockapi.cloud/"
http_post_headers:
Content-Type: "application/json"`

This is for the sake of testing, however, I get this error:
elastalert2-1 | 2025-01-13 14:11:34,737 ERROR Traceback (most recent call last): elastalert2-1 | File "/usr/local/lib/python3.13/site-packages/elastalert/elastalert.py", line 1268, in handle_rule_execution elastalert2-1 | num_matches = self.run_rule(rule, endtime, rule.get('initial_starttime')) elastalert2-1 | File "/usr/local/lib/python3.13/site-packages/elastalert/elastalert.py", line 887, in run_rule elastalert2-1 | rule['type'].garbage_collect(tmp_endtime) elastalert2-1 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^ elastalert2-1 | File "/usr/local/lib/python3.13/site-packages/elastalert/ruletypes.py", line 576, in garbage_collect elastalert2-1 | self.handle_event(placeholder, 0, qk) elastalert2-1 | ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^ elastalert2-1 | File "/usr/local/lib/python3.13/site-packages/elastalert/ruletypes.py", line 500, in handle_event elastalert2-1 | if self.find_matches(ref, cur): elastalert2-1 | ~~~~~~~~~~~~~~~~~^^^^^^^^^^ elastalert2-1 | File "/usr/local/lib/python3.13/site-packages/elastalert/ruletypes.py", line 527, in find_matches elastalert2-1 | if (cur < self.rules.get('threshold_cur', 0) or elastalert2-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ elastalert2-1 | TypeError: '<' not supported between instances of 'NoneType' and 'int'

It seems like the current values aren't being properly loaded. Am I missing something?

[jertel]

Do some timerange windows not have any events?

[lufimoreira94]

Yes, and the chance is higher since I'm using query_key I'm assuming. The problem is that I think that error is disabling my rule
elastalert2-1 | 2025-01-14 09:45:57,093 INFO Disabled rules are: ['Under Performance Error Alert v2']
I'm not sure though

[jertel]

Ok, try specifying disable_rules_on_error: false and let's see if the rule behaves as expected, aside from the error when there's no data.

[lufimoreira94]

It worked. Thanks mate!