Hello, I need to know if it’s possible to use DQL to maintain some kind of counter.
My goal is to detect a condition only when the alert has occurred at least twice, so that a problem is raised only when it reaches that threshold.

Here is the logic I am currently using:

| fieldsAdd alerta = coalesce(
    // Scenario 1
    if(
      EquipoA != EquipoB
      and (EquipoA != dirCorreA or EquipoA != dirCorreB)
      and (EquipoB != dirCorreA or EquipoB != dirCorreB)
      and dirCorreA != dirCorreB,
      true
    ),
 

    // Scenario 2
    if(
      dirCorreA == "CRI400C "
      and EquipoB == "CRI400H"
      and trim(dirCorreB) != trim(_icadir),
      true
    ),
 

    // Default
    false
)
 

| filter alerta
 

| lookup [
    fetch `dt.entity.ibm_i:host`
    | fields id, name = entity.name
    | fieldsAdd equipo_join = upper(trim(name))
  ],
  sourceField: EquipoA,
  lookupField: equipo_join,
  fields: { id }
 

| fieldsKeep _icadir, timeframe, id, _icanom, icanom,
             dirCorreA, dirCorreB, alerta, EquipoA, EquipoB
 

|| makeTimeseries alert = countIf(alerta),
  by: { _icadir, id, _icanom, icanom,
        dirCorreA, dirCorreB, EquipoA, EquipoB },
  spread: timeframe,

What I need now is a way to evaluate this series so that a problem is only triggered when alert occurs two or more times within the selected timeframe.

The issue is that, since we have to use spread, the value gets distributed across the entire timeframe. Is there any other way to do this?