Show the actual requests of the past 5 minutes vs the average request count over the past day. The threshold we want to alert upon is the past day's average amplified by a factor of 10.

actual-requests-vs-past-day-average.appinsights

let lookbackWindow=30d;
let observationInterval=1d;
let sampleInterval=5m;
let thresholdFactor=10;
// 5-min request count average measured over the past 1 day
let averagedRequestsInObservationInterval = requests
| where timestamp > ago(lookbackWindow)
| summarize sum(itemCount) by bin(timestamp, sampleInterval)
| summarize averageRequestCount = avg(sum_itemCount) by bin(timestamp, observationInterval)
| extend threshold = averageRequestCount * thresholdFactor;
// actual request count of the last 5 min
let actualRequestsInSampleInterval = requests
| where timestamp > ago(lookbackWindow)
| summarize currentRequestCount = sum(itemCount) by bin(timestamp, sampleInterval);
// render
actualRequestsInSampleInterval
| union averagedRequestsInObservationInterval 
| render timechart

The current version looks like this:

Now, rather than having 1 datapoint for the past day's average at 00:00 every day, I'd rather want to have the past day's average as a rolling window average every 5 minutes.

How would you do that?

Improved and simpler version is here, making use of series_fir() to compute the moving average:

let timeWindow=30d;
let averagingInterval=1d;
let sampleInterval=5m;
let thresholdFactor=10;
requests
| where timestamp > ago(timeWindow)
| make-series requestCount=sum(itemCount) default=0 on timestamp in range(ago(timeWindow), now(), sampleInterval)
| extend movingAverage=series_fir(requestCount, repeat(1, toint(averagingInterval/sampleInterval)))
| mvexpand timestamp to typeof(datetime), requestCount to typeof(int), movingAverage to typeof(double) limit 1000000
| extend threshold=movingAverage * thresholdFactor
| render timechart 

The result looks much better now: