index=1234 message="auth failure*" earliest=-13h@h latest=-0h@h
| bucket _time as Hour span=1h
| rename COMMENT as "process all of the records through an appendpipe to see if traffic is double"
| appendpipe [
| stats count as logCountByHour by Hour
| eventstats max(Hour) as maxHour
max(maxHour) as maxHour
avg(eval(case(Hour!=maxHour,logCountByHour))) as prevTwelveHourAvg
avg(eval(case(Hour=maxHour,logCountByHour))) as lastHour
| eval myflag=case(lastHour>2*prevTwelveHourAvg,"alertme")
| rename COMMENT as "setting Hour to maxHour will connect the myflag field (if set) to each record in that Hour."
| eval Hour = maxHour
| rename COMMENT as "Kill all events but the last hour, then roll over whatever we received from the appendpipe"
| where Hour == maxHour
| eventstats max(myflag) as myflag by Hour
| rename COMMENT as "Pass the last Hour's events, only if the flag was set."
| where isnotnull(myflag)
@ahendler1 - That's what it should be doing. Verify, using the _time field, that the records are for the final hour. Then just use the |fields or |table commands to limit the output to the fields that you want to see, including _raw.
|table _time _raw ...whatever other fields you want...