Hi All,
here I'm trying to build a query, which produces the values of yesterday and today.
earliest=-1d@d latest=@d index="summary" | stats count(count) as yesterday_count by orig_sourcetype | appendcols [ search earliest=@d latest=now index="summary" | stats count(count) as today_count by orig_sourcetype]
What I'm looking for is, I want a report of day-1, day-2, day-3, day-4..
if anyone of the day-4 count is more/less than 30% of previous days.. It should trigger the alert.
Taking your search into consideration, I'm assuming that the count field is already present in your data. Here's a simple way to achieve and alert when the percentage of today's data is more than 30% of the count of previous data.
index=summary | autoregress count p=1-4 | eval previous_days_count = count_p2 + count_p3 + count_p4 | eval percentage = (previous_days_count * 100 / count_p1) | where percentage>30
Thanks for the response... I'm confused.. Where are you taking AVG of previous days counts and compare with latest counts?