I have an alert that fires when the hourly count is 50% greater hour over hour, this seems to be working fine:
index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=@h | stats count as LastHour | appendcols [search index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | stats count as CurrHour] | where CurrHour>1.5*LastHour
This reports the LastHour and CurrHour values, which I would like. In addition to this I would also like the report to include something like the results from this search when the alert fires:
index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=@h latest=now | chart count over errorCode
I'm not sure how to combine these to include both of these in the report output.
Try this as your alert search
index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h latest=now
| eval period=if(_time>=relative_time(now(),"@h"),"CurrHour","LastHour") | chart count over errorCode by period | eventstats sum(CurrHour) as totCurrHour sum(LastHour) as totLastHour | where totCurrHour>1.5*totLastHour