We have just started using the IT Essentials App, we are generating alarms based on thresholds being breached, the thresholds only seem to be available when for example a CPU peaks at 90%, what i am looking for is generating an alarm for when CPU peaks at 100% for a period of 10 mins.

Below is my spl, would using time_window = 15m suffice ? 

| mstats max(ps_metric.pctCPU) as val WHERE index = em_metrics OR index = itsi_im_metrics by host span=5m 
| eval val=100-val 
| rename host as host 
| eval host="host=".$host$ , id="ta_nix" 
| lookup itsi_entities entity_type_ids as id _itsi_identifier_lookups as host OUTPUT _key as entity_key, title, _itsi_informational_lookups as info_lookup, _itsi_identifier_lookups as alias_lookup 
| search entity_key != NULL 
| eval entity_type="Unix/Linux Add-on" 
| eval metric_name="CPU Usage Percent" 
| eval itsiSeverity=case(val <= 75, 2, val <= 90 and val > 75, 4, val > 90, 6) 
| eval itsiAlert=metric_name." alert for ".entity_type." entity type" 
| eval itsiDrilldownURI="/app/itsi/entity_detail?entity_key=".entity_key 
| eval itsiInstance=title 
| eval entity_title=title 
| eval itsiNotableTitle=title 
| eval val = round(val, 2) 
| eval itsiDetails = metric_name + " current value is " + val 
| eval sec_grp=default_itsi_security_group 
| eval alert_source="entity_type" 
| where IsNull(is_entity_in_maintenance) OR (is_entity_in_maintenance != 1) 
| fields - host