Hey and welcome to the Splunk community. 🙂
First of all, the answers to your questions have a "depends" in it. If your data is in an easy structure to onboard, you might want to start reading and working through the docs: getting data in. After the data is onboarded correctly, the next thing would be to build field extractions based on the events. For this, you can use the field extractor. After you have built your fields, you can easily filter on those with something more simple like index=yourIndex sourcetype=yourSourcetype |top your_desired_field1, field2 ... .
Skalli
... View more