Hi. I'm a splunk newbie and I am trying to construct a query over multiple sources that will do a sum of points over a day in 1 hr buckets and tell me whether in the past hour I have breached the max bucket size by a factor of 10%. I have tried to do this via a subsearch, which is very slow and I can't get it to quite work, or as one query, where I got the counts, but can't figure out how to get it to tell me whether it breached the max.
Here is what I have so far:
query returning pts for each event| bin _time span=1h as hour | stats sum(pts) as sum_pts by hour sourcetype
Any help at all would be greatly appreciated!