Hi vikas_gopal,

take a look at this run everywhere command, this will compare event count from 3 minutes ago with event count 2 minutes ago:

index=_internal earliest=-3min@min 
| bucket _time span=1min 
| stats last(_time) AS last_time count AS per_min_count by _time, host
| eval 2min_ago = if(last_time > exact(relative_time(now(),"-3min@min")) AND last_time <= exact(relative_time(now(),"-2min@min")) , per_min_count ,"0")
| eval current_count = if(last_time > exact(relative_time(now(),"-2min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0") 
| stats max(last_time) AS _time, values(host) AS host, max(current_count) AS current_count, max(2min_ago) AS 2min_ago 
| eval diff = '2min_ago' - 'current_count'

Hope this helps to get you started ...

cheers, MuS