index=<indexname> | stats count values(host) values(source) values(sourcetype) values(index) by _raw | WHERE count>1