stats will be your friend here:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats latest(status) as Status-Code by transactionId
If the fields transactionId and status are not yet extracted, you’ll need to pull them out
A way to do this at search time is with rex:
| rex field=_raw "code\D+(?<status>\d+)"
| rex field=_raw "^\[(?<transactionId>[^\]]+)"
regex101 verifications: https://regex101.com/r/JDgzya/1 && https://regex101.com/r/O5qTJ9/1
from User warren – Stack Overflow https://stackoverflow.com/questions/76777324/list-unique-values-from-splunk-events/76779761#76779761
via IFTTT