The key_value() function has methods in it to handle duplicate keys.
allow_dup_keys
Indicates if duplicated keys are allowed. Default value: true.
handle_dup_keys
How to handle duplicated keys (if allow_dup_keysis set). It can take the values take_first, which will only use the first value for the key;or take_last, which will only use the last value for the key. Setting this option to any other value will change the handling to concatenate, which will combine all values given to the key, separating them with the value set in this option. For example, setting handle_dup_keys: ",", would combine all values given to a key a, separating them with a comma, such as 1,2,foo. Default value: take_first.
Graylog isn’t great about iterating through a variable count set, so this is likely the best you will get. Better to take the results and process them at a later time, either subsequent pipeline stage or perhaps as a decorator in a dashboard…