I have a very simple question. I’m using one of the Deployment application search’s, which shows hosts with higher than expected volumes. I would like for the search to only show the instances where the, difference between last week and the current rate, is over a certain number(maybe 1048576KB).
Below is the search that I'm using:
forwarder_metrics | forwarder_metrics_stats avg(kb) as avg_kb_today by sourceIp | join sourceIp type=outer [search earliest=-169h@h latest=-168h@h forwarder_metrics| stats avg(kb) as avg_kb_last_week by sourceIp] | fillnull avg_kb_today avg_kb_last_week | appendcols [search indexer_ratio | fields indexer_ratio] | streamstats first(indexer_ratio) as indexer_ratio | where indexer_ratioavg_kb_last_week < .5avg_kb_today | eval kb_diff = abs(round(avg_kb_last_week - avg_kb_today, 4)) | eval kb_diff_perc = round(100*kb_diff/avg_kb_last_week, 4) | eval avg_kb_last_week = round(avg_kb_last_week, 4) | eval avg_kb_today = round(avg_kb_today, 4) | fields sourceHost connectionType avg_kb_last_week avg_kb_today kb_diff kb_diff_perc | rename sourceHost as "Forwarder" avg_kb_last_week as "Average KBps Last Week" avg_kb_today as "Average KBps Today" connectionType as "Forwarder Type" kb_diff as "KBps Difference from Last Week" kb_diff_perc as "Percentage Difference"
Thank you in advance.