Dear Professor,

I have two alert search like this

1. Search 1:

index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"
|timechart span=2m count as applicaton_today
|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")
|eval yesterday_time=strftime(_time,"%H:%M")
|fields _time,yesterday_time,applicaton_today

And here is output

2. Search 2:

index="xyz" sourcetype="xyz" "Application * sent to xyz success"
|timechart span=2m count as omni_today
|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")
|eval yesterday_time=strftime(_time,"%H:%M")
|fields _time,yesterday_time,omni_today

And here is output

 3. I try to combine two search like this then calculate spike.

index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"
|timechart span=2m count as app_today
|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")
|eval yesterday_time=strftime(_time,"%H:%M")
| append [search index="xyz" sourcetype="xyz" "Application * sent to xyz"
| timechart span=2m count as omni_today]
|fields _time,yesterday_time,app_today,omni_today
|eval spike=if(omni_today < app_today AND _time <= now() - 3*60 AND _time >= relative_time(now(),"@d") + 7.5*3600, 1, 0)

Here is output

 But it shows two time span (like image). 

How can I combine two search with only time span like this.

Thank you for your help.