https://community.splunk.com/t5/Getting-Data-In/Index-alert-excessive-growth/m-p/437952#M76356 <P>We are having problem with some of our indexes growing rapidly. I am trying to figure out a search/alert that have a deviation by the hour compared to previous days at the same time. I have the following search below that gives me the usage by the hour. Any help would be greatly appreciated. </P> <P>index=_internal group="per_index_thruput" earliest = -1h@h latest=@h<BR /> | eval mb=kb/1024<BR /> | timechart span=1h sum(mb) as HourlyTotal<BR /> | addtotals fieldname=HourlyTotal<BR /> | streamstats sum(HourlyTotal) AS AccumulatedTOTAL<BR /> | bucket _time span=1d </P> Tue, 29 Sep 2020 21:42:45 GMT Emiskowi 2020-09-29T21:42:45Z https://community.splunk.com/t5/Getting-Data-In/Index-alert-excessive-growth/m-p/437952#M76356 <P>We are having problem with some of our indexes growing rapidly. I am trying to figure out a search/alert that have a deviation by the hour compared to previous days at the same time. I have the following search below that gives me the usage by the hour. Any help would be greatly appreciated. </P> <P>index=_internal group="per_index_thruput" earliest = -1h@h latest=@h<BR /> | eval mb=kb/1024<BR /> | timechart span=1h sum(mb) as HourlyTotal<BR /> | addtotals fieldname=HourlyTotal<BR /> | streamstats sum(HourlyTotal) AS AccumulatedTOTAL<BR /> | bucket _time span=1d </P> Tue, 29 Sep 2020 21:42:45 GMT https://community.splunk.com/t5/Getting-Data-In/Index-alert-excessive-growth/m-p/437952#M76356 Emiskowi 2020-09-29T21:42:45Z https://community.splunk.com/t5/Getting-Data-In/Index-alert-excessive-growth/m-p/437953#M76357 <P>You can use standard deviation<BR /> | stats stdevp(HourlyTotal) as standdev by series | head 1 | where Hourly&gt; HourlyTotal*2</P> Sun, 28 Oct 2018 11:27:11 GMT https://community.splunk.com/t5/Getting-Data-In/Index-alert-excessive-growth/m-p/437953#M76357 valiquet 2018-10-28T11:27:11Z