First, I’d strongly recommend you take the free courses available from Splunk: https://www.splunk.com/en_us/training.html?sort=Newest&filters=filterGroup1FreeCourses
Second, you need to look for field=value pairs in your data
Like this:
index=ndx sourcetype=srctp fieldA=valA fieldB=valB* fieldC=valC
| stats values(host) as host values(valB) by fieldA fieldC
from User warren – Stack Overflow https://stackoverflow.com/questions/69792540/search-for-specific-patterns-in-splunk-cloud-platform/69797053#69797053
via IFTTT