EDIT: Nevermind, I was just being dumb. It seems no matter how I search by field3 value that triggered on field1, field 2 doesn't exist. For some reason I thought it did.

I have an interesting issue I'm trying to solve and I've hit a road block at this point.

Basically what I'm trying to accomplish is take the output of search1, append search2, and then match by both by field 3 since it exists in both searches.

Search1 and search2 have the same index, but produces mostly the same fields however there's a few that are not present on one search that the other has and vice versa. Let's call those field1 and field2. EDIT: Field 1 only exists in search1 and Field2 only exists in search2.

This is my current query:

index=s_index1  string field1="value" OR field1="value" OR string  field3!="value" | transaction field3  | append [search index=s_index1 string field2="*" | transaction field3] | transaction field3 | table  _time, field4, field5, field3, field6, field1, field2

This is currently not working to the full effect I'd like, It seems most of the data is there but it's not correct/interpreting it correctly.

I normally use eval to match the two separate fields with the same/or separate data is there a way to use eval in a way to match on searches?

Such as | eval search 1 field3=search 2 field 3 or is there a way to do this that I'm simply missing? Should I be using the join command instead of append? Any help would be greatly appreciated.