Alerting: customized conditions, memory is above a threshold for two times in a row for a specific server


I have the next query in an alert to check the status of 6 hosts:
index=idx_nmon_data sourcetype=Perfmon:Memory eventtype=perfmon_memory
| eval threshold=95
| where mem_used > threshold
| table _time host mem_used threshold

I would like that the alert is triggered when for two times in a row a specific server is above 95% of mem_used.

And that in the email appears the next fields: _time host mem_used threshold
I thought about two options but they dont match exactly what I want:
- Do a: stats dc(_time) as times by host (in the search) and configure alert triggered when results are >1
>>>but in this case i lose information in the email of mem_used and _time, and I would like to see them in the table of the email

          - Inside the alert, as customized condition, to write: search dc(_time) by host > 1, but it does not work

Anyone has othe ideas? or am i doing something wrong?

I would like to maintain as well this is an only one query just to avoid consume the ressources of my search head server

Thanks in advance

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!