stats will be your friend here.
Consider the following:
index=myIndex* source="source/path/of/logs/*.log" "Elephant" carId=*
| stats values(*) as * by carId
from User warren – Stack Overflow https://stackoverflow.com/questions/67424702/get-distinct-results-filtered-results-of-splunk-query-based-on-a-results-field/67425342#67425342
via IFTTT