Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it’s now 13h00, it’d count events in 12h55-13h00 for D-7, D-14, D-21, D-28, You have like 4 values with which you can calculate an avg and stdev. Based on this you can calculate and define a lowerBound and upperBound (something like avg-stdev and avg+stdev) You count events in 12h55-13h00 of today and use isOutlier to know if you’re in your defined range or not. Table wise, that would be something like this I guess: time period D-7 | D-14 | D-21 | D-28 | avg | stdev | upperBound | lowerBound | D | isOutlier When possible, it also needs to be CPU friendly, there is an auto-check because they don’t like that 😋
... View more