| tstats count as event_count where index=_internal by sourcetype _time span=24h
| eval day=strftime(_time,"%d")
| eventstats dc(eval(strftime(_time,"%d"))) as days
| eventstats sum(event_count) as days_total by sourcetype
| eval days_avg= round(days_total / days, 2)
| eval perc_change = round((event_count / days_avg) * 100, 2)
| eval delta = round(event_count - days_avg, 2)
| where _time >= now() - 86400
| eval alert = if(perc_change > 70 AND delta < 0,"ALERT","OK")
Thanks @adonio
I modify the query for @adonio .
... View more