The src would be the source of the authentication event, generally in Windows logs this would be the source IP address for the user that was authenticating. If the data is coming directly into Splunk thru a forwarder and Im assuming (based on your use of the src field) that the SA/TA for Windows is in use to make your data CIM compliant then you have two options:
Non-CIM... use the host field ' ... | stats count by EventCode, host | ... '
CIM compliant.. use the dest field ' ... | stats count by EventCode, dest | ... '
Just to add a little more to this ... to only have a table of those with 5 or more add a ' ... | where count>4 ' onto the end.
... View more