Hi,
I am trying to do prediction using MLTK toolkit in Splunk, so preferably I am using forecasting series and algorithm as ARIMA to predict.
I have two searches which I want to merge and create a single output, which displays a timechart using Yaxis CPU_Load and on X axis Count of P2 incidents during that CPU_Load using Time. So I need to merge infra i.e CPU load w.r.t P2 incident and they are from 2 different indexes and then that search I will use in MLTK under Arima to predict.
Could you please help me out to correct the search we can merge them to get the expected result, I have already used append and join but didn't get the expected output.

Below is search 1:

index="xyz"  source_host="abc" search_name=search_update_acn_tier3_os_monitoring metric_label="Processor : CPU Load Average 15 Alert" | timechart max(metric_value) as "CPU_Load"  

Search 2:

index="defservice" impact="2 - High"  sourcetype=csv | timechart  count(incident) as "P2" 

The way I was merging it :

index="xyz"  source_host="abc" search_name=search_update_acn_tier3_os_monitoring metric_label="Processor : CPU Load Average 15 Alert" | timechart max(metric_value) as "CPU_Load"  |append [search index="defservice" impact="2 - High"  sourcetype=csv | timechart  count(incident) as "P2"]

Any correction to this would be appreciated... as when I run this one query is giving normalize value not the actual value as in statistics could it be modified to get the expected outcome.