I tried to use what you provided with my data. I think it can work, but I am using a summary index and not the _internal index. Inside of that summary index, the actual indexes are named "Indexes" . I posted below my attempt to gel your search and my stuff together. Maybe you can help me now that you know this info | tstats count where index=dg_app_summary NOT (Indexes="All*" OR Indexes="Undefined" OR Indexes="_*") earliest=-30d@d latest=now by _time, Indexes span=1d | stats sum(count) as svc_usage by Indexes _time ``` 1. Build a baseline for every index - Replace these lines with your original SVC search``` | where Indexes=proxy OR Indexes=aws ```2. 30‑day avg per index``` | eventstats avg(svc_usage) as avg_svc by Indexes ```3. Keep only the last day (the day you are currently monitoring)``` | where _time >= relative_time(now(), "-1d") ```4. Thresholds – 25% above or below the 30‑day average``` | eval si_high = avg_svc * 1.25 | eval si_low = avg_svc * 0.75 ```5. Find any day that is outside the band``` | where svc_usage > si_high OR svc_usage < si_low ```6. Show the top 10 indexes by daily usage (optional)``` | sort 0 -svc_usage | head 10 | table _time Indexes svc_usage avg_svc si_high si_low ... View more

It's a daily alert: Some days like Saturday or Sunday might not lower than Monday and Tuesday. But let's say last Monday the highest SVC was 140. But this Monday it was 200. I want to know that happened. it can be percentage or statistical.   I tried to use the MTLK command but I kept getting an error.  ... View more