Well you can do that in the
timechart itself using
You can try something like this
basic search | timechart span = 5m count by host WHERE count>3
See the example 4 given in this official doc of splunk.
let me know if this helps!