If you want to alert only when the dc goes up, then you might need to write out records when you alert and read in your prior alerts to decide whether to alert again.
This answer provides some code that was specific to throttling for an hour, but something like this strategy could work for you.
https://answers.splunk.com/answers/548711/how-to-throttle-an-alert-using-more-than-one-field.html
You could run your query for 91 days, keep _time on the records, sort them in order and use streamstats with timewindow=90d to calculate your values.
Then use streamstats again with current=f window=1 to copy the dc number forward from yesterday's record and compare.
However, your search already looks overly complicated. I'm very suspicious of the list followed by three mvexpand s. That is creating a cross product with no business case for it. Those probably should be replaced by this, although I suspect the whole search can be much further simplified...
| eval myFan = mvrange(0,mvcount(first_name ))
| mvexpand myFan
| eval first_name = mvindex(first_name,myFan)
| eval last_name = mvindex(last_name,myFan)
| eval user_id = mvindex(user_id,myFan)
Could you elaborate a little more for us on what the underlying record and account structure is? Just three or four fake records would probably be enough to clear it up.
... View more