I currently use the following query to compare volume counts between current day and a week ago:
sourcetype=abc index=xyz source=foo earliest=-0d@d latest=now |
bucket _time span=30m |
stats count by _time |
eval ReportLabel="Today" |
append [search sourcetype=abc index=xyz source=foo earliest=-7d@d latest=-6d@d |
bucket _time span=30m |
stats count by _time |
eval ReportLabel="PreviousWeek" |
eval _time=_time+(60*60*24*7)] |
chart max(count) as count over _time by ReportLabel
I'm interested in leveraging this query (if possible) to alert me if volume counts between the two time periods deviate by a certain percentage. Since the alert would run every 30 minutes, I'd have to adjust the timeframes accordingly.
- How would I capture a specific half hour period from the previous week to reference against current day?
- How could a deviation calculation be applied?
↧