Hi everyone,
I’d like to create a Davis anomaly detection (DQL event) that triggers when the number of interfaces (ports) on a network device changes between two time periods (e.g., previous 7 days vs current 7 days).

My initial attempts used a traffic/discards metric and rolling sums, but that’s not ideal when I only need to know how many interfaces exist (or report data) in each period. I think the right approach is to count distinct interfaces per device per period and compare.

Does the DQL below look correct? Is there a simpler/better way?

Goal

Count distinct interfaces per device for last week and this week

Join the two results

Calculate the difference

Trigger a Davis event if the count changed (non-zero difference)

Thanks 

timeseries sum(`com.dynatrace.extension.palo-alto.generic.if.in.discards.count`, default: 0),
by: { `dt.entity.network:interface`, `dt.entity.network:device` },
from: now() - 14d, to: now() -7d, interval: 1m
| fieldsAdd prev_roll = arrayMovingSum(`sum(\`com.dynatrace.extension.palo-alto.generic.if.in.discards.count\`, default:0)`, windowsize: 60)
| fieldsAdd aligned_key = toTimestamp(toLong(timeframe[start]) + 604800000.0)
// | fieldsKeep `dt.entity.network:interface`, `dt.entity.network:device`, aligned_key, prev_roll

| join [
timeseries sum(`com.dynatrace.extension.palo-alto.generic.if.in.discards.count`, default: 0),
by: { `dt.entity.network:interface`, `dt.entity.network:device` },
from: now() - 7d, to: now(), interval: 1m
| fieldsAdd curr_roll = arrayMovingSum(`sum(\`com.dynatrace.extension.palo-alto.generic.if.in.discards.count\`, default:0)`, windowsize: 60)

| fieldsAdd aligned_key = timeframe[start]
| fieldsKeep `dt.entity.network:interface`, `dt.entity.network:device`, aligned_key, curr_roll
], on: { `dt.entity.network:interface`, `dt.entity.network:device`,aligned_key}