Hello all!

I'm newbie in Splunk and I'm trying to figure out how to create an alert based on count of unique field values.

I have field src_mac and I need to trigger an alert each time the same value appears more than 4 times in search results.

Example log:

Apr 20 16:06:41 dhcp1 dhcpd: DHCPDISCOVER from a0:d3:c1:63:37:16 via 198.18.2.1: peer holds all free leases
dest_int = 198.18.2.1 dhcp_message = DHCPDISCOVER host = dhcp1 src_mac = a0:d3:c1:63:37:16
Apr 20 16:06:41 dhcp2 dhcpd: DHCPDISCOVER from a0:d3:c1:63:37:16 via 198.18.2.1: peer holds all free leases
dest_int = 198.18.2.1 dhcp_message = DHCPDISCOVER host = dhcp2 src_mac = a0:d3:c1:63:37:16
Apr 20 16:06:33 dhcp1 dhcpd: DHCPDISCOVER from a0:d3:c1:63:37:16 via 198.18.2.1: peer holds all free leases
dest_int = 198.18.2.1 dhcp_message = DHCPDISCOVER host = dhcp1 src_mac = a0:d3:c1:63:37:16
Apr 20 16:06:33 dhcp2 dhcpd: DHCPDISCOVER from a0:d3:c1:63:37:16 via 198.18.2.1: peer holds all free leases
dest_int = 198.18.2.1 dhcp_message = DHCPDISCOVER host = dhcp2 src_mac = a0:d3:c1:63:37:16
Apr 20 16:06:30 dhcp1 dhcpd: DHCPDISCOVER from a0:d3:c1:63:37:16 via 198.18.2.1: peer holds all free leases

Also I need to suppress results containing same field value for 10 minutes.
Could anybody provide example?

Thanks in advance,
Maxim