I am not sure why you are using timechart to bucket data into 30 min when you need latest 15m window. You can use stats instead. If you use stats count count should be returned as 0 as far as there are events in the 15m window (not necessarily the failed ones).
index=os* result=failed
| timechart count span=15m
| timewrap 1day
| tail 1
| fields 28days_before 21days_before 14days_before 7days_before
| transpose column_name=day
| rename "row 1" AS count
| head 4
| stats avg(count) as average stdev(count) as standard_deviation max(count) as hist_max
| eval today_fails=[
search index=os* result=failed earliest=-15m latest=now
| stats count
| return $count
]
| eval window_high=(average + standard_deviation)
| where today_fails > window_high
Another option is to break query into two part and use Search Event Handler to pass on the count to the main search. (PS: Search event Handlers done/progress can be used in 6.5 or higher. For older version you would need to use finalized/preview respectively)
Run the following search in your dashboard Simple XML (Refer to Null Search Swapper Example in Splunk 6.x Dashboard Examples App)
<search>
<query>search index=os* result=failed earliest=-15m latest=now
| stats count
</query>
<done>
<condition match=="$job.resultCount$==0">
<set token="todayFails">0</set>
</condition>
<condition>
<set token="todayFails">$result.count$</set>
</condition>
</done>
</search>
Then use the token $todayFails$ in your main query
index=os* result=failed
| timechart count span=15m
| timewrap 1day
| tail 1
| fields 28days_before 21days_before 14days_before 7days_before
| transpose column_name=day
| rename "row 1" AS count
| head 4
| stats avg(count) as average stdev(count) as standard_deviation max(count) as hist_max
| eval today_fails=$todayFails$
| eval window_high=(average + standard_deviation)
| where today_fails > window_high
... View more