Something like this should work:
index=ndx sourcetype=srctp rating="bad" color="blue" price=*
| top price by color rating
from User warren – Stack Overflow https://stackoverflow.com/questions/74526812/splunk-display-top-values-for-only-certain-fields/74535396#74535396
via IFTTT