https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218121#M3933 <P>You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition </P> <PRE><CODE>*/5 * * * * </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Sep 2016 13:40:48 GMT gcusello 2016-09-30T13:40:48Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218119#M3931 <P>Hi,</P> <P>I am using the function:</P> <P>| stats count(name) AS x by name | where x &gt;4</P> <P>Results:</P> <P>name count(name)<BR /> Paul 10<BR /> John 3</P> <P>I would like to receive alerts when the number of names (count(name)) is greater than 4 in a 5 minutes time interval, after five minutes, the count will reset and start count again.<BR /> This alert must be set in real time or Cron Scheduled time? How Can I define 5 minutes on Cron Expression?</P> <P>Best Regards, <BR /> Monteiro.</P> Fri, 30 Sep 2016 12:48:26 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218119#M3931 monteirolopes 2016-09-30T12:48:26Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218120#M3932 <P>I believe the cron expression you are looking for is: <CODE>5 * * * *</CODE></P> Fri, 30 Sep 2016 13:09:50 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218120#M3932 lyndac 2016-09-30T13:09:50Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218121#M3933 <P>You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition </P> <PRE><CODE>*/5 * * * * </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Sep 2016 13:40:48 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218121#M3933 gcusello 2016-09-30T13:40:48Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218122#M3934 <P>Nopes... this is for running a search hourly at 5th min.</P> Fri, 30 Sep 2016 16:02:58 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218122#M3934 somesoni2 2016-09-30T16:02:58Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218123#M3935 <P>If, you're ok with a delay of 5min to get the alert, run on Cron schedule time. Real-time alerts are expensive and they never complete. See @Cusello's answer for 5 min cron.</P> Fri, 30 Sep 2016 16:04:07 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218123#M3935 somesoni2 2016-09-30T16:04:07Z https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218124#M3936 <P>Giuseppe is correct above, that is what I thought I typed, but apparently my fingers went another way.<BR /> Sorry. <CODE>*/5 * * * *</CODE> is the correct one.</P> Fri, 30 Sep 2016 16:16:16 GMT https://community.splunk.com/t5/Alerting/Alert-Time-interval/m-p/218124#M3936 lyndac 2016-09-30T16:16:16Z