Refer: http://answers.splunk.com/answers/149182/alert-when-splunk-user-did-not-login-for-last-15-minutes.html
Create an Alert and these are the key pieces:
Search for Today, to work with wizard
index=book2-prod-app-porta | head 1 | eval age = now() - _time
crontab run every 5 minutes
*/5 * * * *
# This is for 300 seconds or 5 minutes
Custom Condition: search age > 300