Aggregating counter metrics to detect spikes #24301
Description
A note for the community
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Use Cases
I'm trying to detect the short-lived spikes in metrics by scraping every second but only publishing to Prometheus every 60 seconds. I've gotten this working for gauge metrics using Vector's Max aggregation transform, but I can't find a way to achieve the same thing for counter metrics.
Attempted Solutions
- Using a
Maxaggregation on counter metric will always return the most recent value since the counter is monotonically increasing. This makes it impossible to tell if the metric is steadily increasing over a minute or if it quickly increased over a few seconds. - I've tried using a stateful Lua transform to calculate the change between consecutive events then taking the max of those values. This didn't work because Vector creates multiple parallel threads for the transform, and there's no guarantee that the thread processing an event is the same one that processed the previous event (i.e. the transform can't calculate the change between events because it doesn't know the value/timestamp of the previous event)
Proposal
Create a new MaxSlope aggregation mode that calculates the max change over time between any pair of events it receives during each interval window. Assuming an aggregation function receives events in the order they are emitted, it could look something like this:
max_slope = 0
prev_event = null
on_event = func(event):
if prev_event != null:
slope = (event.value - prev_event.value) / (event.timestamp - prev_event.timestamp)
if slope > max_slope:
max_slope = slope
prev_event = event
on_interval_window_ended = func():
emit(max_slope)
max_slope = 0
References
No response
Version
vector 0.50.0 (aarch64-unknown-linux-gnu 9053198 2025-09-23 14:18:50.944442940)