@prakashaig ,
You might need to find an avg event count (baseline) for the hosts and calculate the percentage of difference based on that.
Try if this works for you
your current search
|eventstats avg(eventCount ) as Avg
|eval percentage=abs(round((eventCount-avg)/avg*100,2))
Alert based on the percentage of deviation
... View more