Alerting on Derivatives, Not Absolutes

Some alerts work better on rate of change than on absolute value. The pattern, the metric examples, and when to use each.

When derivative wins

Disk usage. 'Disk is at 80%' is a static threshold; 'disk is filling at 5GB/hour' is a derivative.

Memory leaks. Absolute memory crosses thresholds; derivative catches the leak earlier.

When absolute wins

SLO compliance. Latency must be under X. Threshold matters; rate of change is secondary.

Capacity utilisation that has a hard cap. Approach the cap is what matters.

Combine

Often both: alert on either the absolute or the derivative.

Two alerts, OR'd. The cheaper safety mechanism.