I do have log files that are sent once a day to the splunk.
I have to generate alerts when X number of occurrences are seen in Y window time.
the alert created do not trigger with those logs.
You don't want a realtime search for this. Create a scheduled search that used earliest and latest to specify the time window based on the scheduled run time. Be sure to schedule the run time so that the logs your searching have been indexed.