Hello,

@scelikok

Could you help me on the following search please?

I have a main search which groups me together all the events with a unique ID (these events are critical, warning and normal alerts that I index on Splunk).
I want to add a sub-search to my main search which could allow me to add other events in the form of a transaction. My problem here is that my unique ID in my main search is not the same as in my sub search.
this is what I want to do :

index=index1 (severity=2 OR severity=0 OR severity=1 OR (severity="-1" AND Function=Traps))
| eval ID=Service+"_"+Env+"_"+Apps+"_"+Function+"_"+managed_entity+"_"+varname
| addinfo

| append [search index=index_sqlprod-itrs_toc (managed_entity="vpw-neorc-103 - rec" OR managed_entity="vpw-neorc-903 - rec") rowname="ASC RecordingControl"
| eval ID=Service+"_"+Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| sort _time asc
| eval peer_failed=if(severity=2,1,-1)
| streamstats sum(peer_failed) as failed_peers by ID
| eval failed_peers=if((failed_peers=1) AND (severity="0" OR severity="-1"),3,failed_peers)
| where NOT (failed_peers=1 OR failed_peers=0)
| sort _time desc
| transaction ID startswith=(failed_peers=2) endswith=(failed_peers=3) maxevents=2]

| transaction ID startswith=(severity=2) maxevents=2

 my goal is to bring these transactions together without having the same ID, is that possible?