This query worked for me. It doesn't compare to yesterday but you could easily do that with the timewrap app.
index=_internal source="*license_usage.log*"|where idx!="NULL"| timechart limit=0 span=1d sum(eval(round(b/1024/1024/1024,5))) by idx
If you can track indexing by hosts instead of user, then you can use the built-in usage data with the following:
index=_internal source=*license_usage.log* type="Usage" idx=<YOUR_INDEX> | timechart span=1d limit=0 eval(round(sum(b)/1024/1024,3)) as MB by h
If you need to track indexing by user, then you would have to look at the raw data lengths.
index=<YOUR_INDEX> | timechart span=1d limit=0 sum(eval(len(_raw)/1024/1024)) by <USER_FIELD>
Without getting into worrying about days of the week and patterns of behavior, you can then compare between days with the following, where you will see where there is a 50% change in volume
| untable _time user mb | streamstats window=1 current=f last(mb) as prev_mb by user | eval perc_diff = (abs(prev_mb - mb)/mb)*100 | search perc > 50 prev_mb > 0
Ok then, how about his? Your "N" can be set by changing the value "limit=N" in the
index=_internal source=*license_usage.log* type="Usage" | timechart span=1d limit=10 eval(round(sum(b)/1024/1024,3)) as mb by idx | untable _time idx mb | streamstats window=1 current=f last(mb) as prev_mb by idx |eval perc_diff = (abs(prev_mb - mb)/mb)*100 | eval marker = if(perc > 50 AND prev_mb > 0, 1, 0)
That query should give you the field marker the day when a given index changed by 50% percent or more as compared to the previous day. You could overlay that information with a chart show the daily totals, or you could filter down to just that field and setup alerts.
To see how much each source is putting through, try this search- change the sourcetype as needed.
| fields raw, _time, host
| eval evtbytes = len(raw)
| timechart span=1d sum(eval(evtbytes/1024/1024)) AS TotalMB by host
To see how big your indexes are, try this search:
| rest /services/data/indexes | eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) | table title currentDBSizeMB maxTotalDataSizeMB perc