I want to compare the results from latest 4 hrs today with the results from the same time yesterday and want to set an alert if today's result drops by 20 percent.
My search string is:
index="abcd" earliest=-28h latest=-24h | stats count as prevday | append [ search index="abcd" earliest=-4h latest=now | stats count as currday] | eval diff = (abs(prevday - currday)/prevday)*100
Using this search string I could store the results in respective variables prevday and currday.. But I could not successfully set an alert by mentioning the custom condition diff > 20. Where am I doing a mistake? What do I need to specify in alert condition so that I will get an alert if diff > 20 ?