The JSON payload is being treated as a multivalue field
So you need to mvexpand it before filtering-out what you want to ignore
Try something like this:
index=ndx sourcetype=srctp Stats{}.type=*
| rename Stats{}.type as type
| mvexpand type
| search NOT type="Unknown"
| ...
from User warren – Stack Overflow https://stackoverflow.com/questions/63292320/splunk-how-to-exclude-a-certain-vale-from-the-list-if-exist/63342203#63342203
via IFTTT