All Apps and Add-ons
Highlighted

how to build a report/alert with the values of previous weeks?

Explorer

Hi All,
here I'm trying to build a query, which produces the values of yesterday and today.

earliest=-1d@d latest=@d index="summary" | stats count(count) as yesterdaycount by origsourcetype | appendcols [ search earliest=@d latest=now index="summary" | stats count(count) as todaycount by origsourcetype]

What I'm looking for is, I want a report of day-1, day-2, day-3, day-4..
if anyone of the day-4 count is more/less than 30% of previous days.. It should trigger the alert.

0 Karma
Highlighted

Re: how to build a report/alert with the values of previous weeks?

Contributor

Taking your search into consideration, I'm assuming that the count field is already present in your data. Here's a simple way to achieve and alert when the percentage of today's data is more than 30% of the count of previous data.

index=summary | autoregress count p=1-4 | eval previousdayscount = countp2 + countp3 + countp4 | eval percentage = (previousdayscount * 100 / countp1) | where percentage>30

0 Karma
Highlighted

Re: how to build a report/alert with the values of previous weeks?

Explorer

Thanks for the response... I'm confused.. Where are you taking AVG of previous days counts and compare with latest counts?

0 Karma