Can you write an example please?

index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"
| join user [search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]

or 

| multisearch [search index="network" sourcetype="OktaIM2:log" eventType="user.account.privilege.grant"]
 [search index="WinEventLog" sourcetype="WinEventLog" EventCode="4719" AuditPolicyChanges="removed"]
| stats values(*) as * by user

Thanks for your response.

How can I set a time range between both searches?
Like search 2 occurring after 10 min?

You can use earliest and latest fields on each search to override the timepicker settings

Again it's not what I search for.

I want to correlate 2 different indexes with different fields.

1. Cisco FW - suspicious IP address entered the internal network.  
2. Crowdstrike - Suspious Ip address scanning

In the Cisco the IP address fields wrote: IP_Address

In the Crowdstrike its: IPaddress

I want to combine both events by the same field (IP Address) with a time range between both events.

I hope there is a solution for that 🙂

You could rename IPaddress to IP_Address

I don't understand your time requirement

Alright, thanks.

1. For what the last row stands for?

| stats values(*) as * by user

 why the values are with *?

2. I want a time distance between the first search to the second search (Like 5-10 min).

| stats values(*) as * by user will gather all the fields (not internal fields) into multi value collections by user, renaming the collection with the name of the field i.e. the * means all fields. If you want the _time field to be included, you would probably have to add values(_time) as _time. You can then look at the times the events occurred to determine how far apart they are.

Alright, but again its not what I need.

I want to make a time space between the first search to the second search.
In this what sparate between both searches is:

| join user​

Now, I want another time field that will sparate between the first search to the second search.
Like 1m/1h/1d between the first search to the second.
Than, it will become a correlation security search between 2 diffrent indexes that will combined with the same field and for example 1h different time.