You should get an alert after 5 minutes. Since the threshold given in the search is 5mins, you will get an alert on after five minutes of the host being down (and the alert runs at that time).
... View more
Hi
You can try the below search to get alert in case any host is down for more than 5 minutes:
| tstats count latest(_time) where index=* by host
| rename earliest(_time) as earliest_time, latest(_time) as latest_time
| eval status= if(latest_time > relative_time(now(),"-5min"),"Active","Inactive")
| convert ctime(latest_time)
| search status="Inactive"
| fields - count
... View more