IBM QRadar

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?

We are writing a machine learning app to do it.  The built in anomaly stuff is pretty good for thresholds and stuff like that.  The best one to use is the Behavioral rule, but you have to have the query perfect and the importance values.  I have actually read some of the math involved, Gladys Koscas shared when she was at IBM.  I don't have the links available.  Figure out how to use those behavioral rules, they are well worth the time.

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?