The following is my query to list the API ingress flow of traffic from each of the partners. I would like to add an alert when there is a steep increase in traffic due to campaigns by looking at the last 1 week of average traffic by partner and alerting when the volume of call increases 2x the average to identify the partner.
index="access" "http_host=*.apir.test.com" |rename a as ApplicationId | lookup AppIdLookup ApplicationId OUTPUT PartnerName | timechart usenull=f span=1h count by PartnerName where top100 desc
I tried with the anomalydetection action=summary but it's not working. Any help here would be appreciated.