Hi Splunkers,

Happy Holidays!!!.

I am trying to create a dashboard on Log Volume Monitoring. I am using ML Toolkit and need help with my search.

| tstats count WHERE index=index_name BY index _time span=1h
| eval date=strftime(_time,"%m/%d/%Y")
| lookup Paid_Holidays.csv holiday_date as date OUTPUT is_holiday
| eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| where NOT is_holiday=1
| `forecastviz(245, 240, "count", 93)`
| eval isOutlier = if(prediction!="" AND 'count' != "" AND ('count' < 'lower95(prediction)' OR 'count' > 'upper95(prediction)'), 1, 0)
| where isOutlier=1
| eval today = relative_time(now(),"-1h@h")
| where isOutlier=1 AND _time >= today
| where count < 'lower95(prediction)'
| fields - isOutlier

The highlighted and underlined part is where I am having issue. I need to alert only when the count is less than the predicted in the next hour as well. The current scenario alerts frequently and I need to constrict it so it alerts only when the count is less continuously for the next hour as well. Can someone help me with my query?