Hosts fuera de lo normal mediante z-score (STD_DEV)
STD_DEV mide la dispersión de la carga de CPU por host; el z-score del pico ((max − media) / desviación estándar) distingue un pico realmente anómalo de una carga habitualmente volátil.
Requisitos
Elasticsearch 8.15+, Metricbeat
SQL
FROM "metrics-system.cpu-*"
| WHERE @timestamp >= NOW() - 6 hours
| EVAL cpu_pct = system.cpu.total.norm.pct * 100
| STATS
cpu_moy = ROUND(AVG(cpu_pct), 1),
cpu_ecart_type = ROUND(STD_DEV(cpu_pct), 1),
cpu_max = ROUND(MAX(cpu_pct), 1)
BY host.name
| EVAL z_max = ROUND((cpu_max - cpu_moy) / cpu_ecart_type, 1)
| WHERE z_max > 3
| SORT z_max DESC
| LIMIT 20Resultado
host.name | cpu_moy | cpu_ecart_type | cpu_max | z_max -------------+---------+----------------+---------+------ db-prod-03 | 22.4 | 4.1 | 97.8 | 18.4 cache-redis2 | 18.6 | 3.9 | 51.0 | 8.3 web-prod-12 | 41.3 | 6.2 | 88.9 | 7.7 batch-node-1 | 35.0 | 8.7 | 99.2 | 7.4
STD_DEVZ-scoreCPUAnomalie