index=<specify index>
| eval x=sha256(_raw)
| stats count values(host) values(source) values(sourcetype) values(index) by x
| where count>1