What am i looking for: My search results contains Count field.
1) if Count greater than Zero should alert once and after alerting once it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a csv file)
2) if number increases by 5 from that of no. in CSV (csv+5), i should trigger an alert once and after alerting once it shouldn't alert till 00:00 AM
3) if number increases by 10 from that of no. in CSV (Csv+10), i should trigger an alert once and after alerting once it shouldnot alert till 00:00AM
I have to run the query for every 15 min.
I would try
...your search...
| eval ts=strftime(_time, "%x") | fields ts
| lookup your_search_key ts OUTPUTNEW count_from_ts
| eval count_from_csv=if(isnull(count_from_csv),-4.count_from_csv)
| eval new=if(count>=count_from_csv+5,1,0)
| search new=1