Hey 
here is my approach to your problem:
This needs billmurrin’s slookup function to be installed and working correctly.
The relevant messages need to be routed into an own stream for the slookup function to be able to query the right messages reliably.
Create unique_info field
Create a Pipeline and add this rule to the first stage:
rule "Unique Info"
when
((has_field("dst") AND (to_string($message.dst) != "N/A")) AND (has_field("src") AND (to_string($message.src) != "N/A")))
then
let temp = concat(to_string($message.src), to_string($message.dst));
let combined_field = concat(to_string(temp_field), to_string($message.name));
set_field("unique_info",combined_field);
end
Check for previous alerts with same unique_info
Create a second stage and add this rule to it:
rule "Aggregated Alert"
when
// Check if exists in last 60 Minutes
// slookup(StreamID, Source Field, Destination Field, Return Field, Relative Time, SortOrder)
$message.unique_info == slookup("your-stream-id-containing-this-messages", "unique_info", "unique_info", "unique_info", 3600, "desc")
then
set_field("crtical_alert",true);
end
Done
In theory, this should work. Now attach an alert to the stream to check wether critical_alert is true in a given time frame (I suggest 5 or so 
) .
I hope this helps. I cannot verify these rules, since I do not have access to my system sadly, but I hope it works
Greeting - Phil