Well, that was a 3-minute rolling window, . So... (I'm thinking this through as I type), at 14:02 you had a count of 90 in the previous three minutes. From 14:02 (I'm just rounding off those seconds) to about 14:05, your count steadily drops, until it's nearly at zero.
(By the way, Streamstats is probably doing this backwards from the way you would normally think - I use streamstats a lot but it's nearly always with a tiny window of 2 events or something so it's rarely noticeable. )
That's a drop of the entire 90 in 3 minutes, which means you spent three minutes with a continuous count of zero events with server.MQPublisher for that host and source.
Which means ... that's a legitimate alert. Three minutes, no events matching your criteria.
Let's try from the other side of things:
What made you think it was a false alert in the first place? Is there some other product/monitoring software you are using that said "everything's fine?" Or was it just that "no one complained then" or something?
Which sort of leads me to wonder, if it was a legit alert, but the alerting thing wasn't really something that should have alerted, then the criteria just needs tweaking. Maybe the "log writing process" gets behind, so Splunk doesn't see current information? Maybe you need to broaden the time frame you are looking at?
... View more