I am a newbie to splunk ...If I have a message from F5 as below...how do I get the details of appool, time since down, message, member/host, as a table only when the app pool is down for more than 15 mins and appol is down in more than 2 hosts.

sample Message:
/Common/example-HTTPS: down; last error: /Common/example-HTTPS: Response Code: 200 (OK); No successful responses received before deadline.; Unable to connect @2018/04/08 04:15:03. ] [ was up for 412hrs:46mins:25sec]

current alert for any app pool down for 15 mins:
index=net host = Prod monitor | rex "Pool \/Common\/(?[\w-_]+) member \/Common\/(?\w+):(?\d+) monitor status(\snode)? (?\w+).\s[\s(?.+)\s]}" | search host=prod | eval TimeDiff = now() - _time | table _time,POOL,STATUS,WAS,MEMBER, host,TimeDiff | dedup POOL MEMBER sortby -_time | where WAS like "%was up for%" | search TimeDiff>900

What I need:
alert only if the same app pool is down in more than 1 hosts. (all our app pools are load balanced and are in 2 or more hosts)