hi
I have made the base search and set alerting on behalf of that but i am intermittently getting fake alerts in bulk

this is the base search

index=vmware* (sourcetype=vmware:perf:cpu OR sourcetype=vmware:perf:mem) source=*virtual* |stats avg(p_average_cpu_usage_percent), avg(p_average_mem_usage_percent) by moid, host | rename avg(p_average_cpu_usage_percent) as "cpuUsage",avg(p_average_mem_usage_percent) as "memUsage"| lookup Entity moid AS moid, host AS host | eval procentOverCpu=case((cpuUsage>=85 AND cpuUsage<90)  ,"1",1=1,"0")|eval procentOverCpu90=case((cpuUsage>=90 ) ,"1",1=1,"0")|eval procentOverMem=case((memUsage>=85 AND memUsage<90) ,"1",1=1,"0")|eval procentOverMem90=case((memUsage>90),"1",1=1,"0")|search lowername!=hybseaprd*|append [ |inputlookup Entity  | eval procentOverCpu=0, procentOverMem=0 ,procentOverCpu90=0 ,procentOverMem90=0]