here I'm trying to build a query, which produces the values of yesterday and today.
earliest=-1d@d latest=@d index="summary" | stats count(count) as yesterdaycount by origsourcetype | appendcols [ search earliest=@d latest=now index="summary" | stats count(count) as todaycount by origsourcetype]
What I'm looking for is, I want a report of day-1, day-2, day-3, day-4..
if anyone of the day-4 count is more/less than 30% of previous days.. It should trigger the alert.
Taking your search into consideration, I'm assuming that the count field is already present in your data. Here's a simple way to achieve and alert when the percentage of today's data is more than 30% of the count of previous data.
index=summary | autoregress count p=1-4 | eval previousdayscount = countp2 + countp3 + countp4 | eval percentage = (previousdayscount * 100 / countp1) | where percentage>30
Thanks for the response... I'm confused.. Where are you taking AVG of previous days counts and compare with latest counts?