thanks for your input! it was helpful to get started.
I am thinking i am getting close if i can just take the search i made a few years ago and get it to work with the sourcetypes and alert off the -volume_p1 when "Where pct_diff > 20.0" we will be in working shape! wish me luck!
index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| stats sum(b) as b by _time, pool, s, h, idx
| search pool="Splunk Production"
| timechart span=1h sum(b) AS volume
| eval "volume"=round (volume/1024/1024/1024, 2)
| reverse
| autoregress volume
| eval pct_diff=1.00*(volume-volume_p1)
| Where pct_diff > 20.0
... View more