splunk query

I need to create an alert which will prompt whenever "reason": "LOCKED" appears more than 15% in previous 1 hour. checks to be made every 10m. this should happen only for "operation":"ENROLL" and "operation":"BIND" i have this query which gives me the locked transactions but if I combine it with operation:BIND or ENROLL then I dont get any results even though the application is throwing logs for these. index=abc cf_app_name="stack-overflow" "reason": "LOCKED" AND "operation":"ENROLL" below is the sample log { "id": "c90f975cb368", "source": { "domain": "ABC", "version": "1.0.0", "environment": "stage" }, "namespace": "a.b.c", "resource": "CARD", "operation": "ENROLL", "state": "FAILED", "tags": ["kpi"], "createTime": 156898900, "context": { "correlationId": "0-6093d36" }, "data": { "dpaData": { "dpaId": "1d457051052e71730e71cc5a", "srctId": "526e1bcf-ca6ce85ee9cb", "durbinRights": false }, "dcfData": {}, "srciData": { "srcId": "526e1ca6ce85ee9cb", "name": "mcd }, "appInstanceData": { "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36", "abcdefghijklmnopqrstuvwxyz\"}", "remoteIpAddress": "[login to view URL]", "httpXForwardedFor": "[login to view URL]" }, "authenticationData": { "expiration": false, "authenticationResult": { "reason": "LOCKED" }, "emailVerified": false, "phoneVerified": false }, "consumerData": {}, "error": { "reason": "LOCKED", "message": "Access is denied to the requested resource. The user account has been locked., card locked time: [166898828]", "http-response-code": "400" } } } I just need the query which will give the events where "reason": "LOCKED" under the field error appears along with "operation": "ENROLL"