Ran into this over the weekend myself. It looks to be known issue SPL-84357
The response I found at
http://answers.splunk.com/answers/137421/why-are-my-real-time-alerting-searches-no-longer-sending-em...
provided the following workaround:
The work-around is to temporarily extend "sessionTimeout" in $SPLUNK_HOME/etc/system/local/server.conf to a value that will be longer than the interval between two matched events, thus preventing the token from expiring:
[general]
sessionTimeout = 30d
Thanks for the answer.