Here is a runanywhere example which demonstrates a technique you might be able to adapt. index=_internal sourcetype=splunkd_ui_access
| where match(uri_path,
[search index=_internal sourcetype=splunkd_ui_access
| stats count by uri_path
| head 1
| eval path=split(uri_path,"/")
| eval query=trim(mvjoin(mvindex(path,2,3),"|"),"|")
| table query
| format])
| stats count by uri_path Essentially, what it does is use the match function on the field you want to filter on, with a subsearch to deliver a pipe-delimited string which act as OR's in the match function.
... View more