Since moving to Cloudflare my server load is typically less than 2, but occasionally I'm still seeing it spike to 150+!

I've been watching top and the ssl log consistently, but haven't seen any patterns when it happens.

The server sends me an email to let me know when it's happening, but I always get it too late (the server load is high so the email can't send until the load drops). In the most recent email, though, I have a report on "apachestatus" that has this:

SrvPIDAccMCPUSSReqDurConnChildSlotClientProtocolVHostRequest
...
0-0110080/166/33797R75.74024535471580.01.97409.81172.70.134.134h2example.com:443[1/0] read: stream 0,
1-0134300/4/37803_2.1002436706250.00.01456.70123.45.67.89http/1.1example.com:443GET /legit_page HT

The top line is a Cloudflare IP, and the second line is a local (verified) user. Above that top line was 24 more lines, all with an apparent load of 75+.

Am I correct in reading that the verified user made a request and the server load was 2.1, then a Cloudflare request was made and the load spiked to 75.74?

Is there another variable in there that I should be looking at? Because if it went from 2.1 to 75.74 like that then there's just no explanation for the spike!

Another email that I received just a few minutes ago has this:

3-1248511/340/50908W142.8130010823190.03.96632.5523.22.35.162http/1.1example.com:443GET /different_legit_page
4-1269190/0/49145R0.000111165890.00.00596.90172.70.175.85http/1.1example.com:443

The top line's IP is to Amazon (most likely a bot), and the second is Cloudflare. But this time the Cloudflare line has a load of 0, then the next line is 142.81 :-O

Other files included are ps.txt, vmstat.txt, and netstat.txt. I've been looking at all of them but I really don't know what I'm looking for, and nothing is jumping out at me.

Any suggestions on how to read these files to see what's the source of the spike? Or any other suggestions on tracking it down?