I am trying to create an alert which will notify me when the percentage change in the delta/difference of events exceeds 100% (minimum of 10 events as I want to try and eliminate the influence of low numbers on the percentage change, i.e., going from 1 event to 6, etc.)
My search query as follows:
index=indexname earliest=-1h Subject="xzy" SenderAddress="email@example.com"
| timechart span=1h partial=false count
| delta count as difference
| eval difference=coalesce(difference,0)
| eval percentDifference =round(abs(difference/(count - difference))*100)
| where (difference > 1 AND percentDifference > 100)
| where count > 10
Just wanted to see if a) there was a more efficient way to run this query and b) confirm that this search should be ran every hour and 10 minutes or so (there is a lag time of the logs flowing in that's about 10 minutes behind).
You can use
index_latest to help cover late arriving events.