Do you mean this ? [Solved] Problem with Syslog alert rule
you can surround macros.past_5m in `` as a workaround.