The pseudo search would be like this
source="deleted.xml" earliest=@d ACCIDENTAL_DELETES > ...
| stats count by client_indentifier_field
| where count>[search source="deleted.xml" earliest=-1mon@m latest=@mon ACCIDENTAL_DELETES > .. | query to calculate last month's average | table average | rename average as query]
