Thanks for hints, I guess it is also not that easy to troubleshoot remotely, but here are the results of this query:

It seems to include other levels (informational, Warning, Error, ...), and does not aggregate some fields (got 2 critical columns, but 5+17=22, should be 2+17=19)

Maybe a join on _time field would have helped aggregating results from the 2 queries ?

The search is case insensitive and Critical is not the same as critical when it comes to doing the stats. Try:

(sourcetype="yyyy" request_status=blocked violation_rating>=3) OR sourcetype="xxxx"
| eval severity=coalesce(severity,case(violation_rating=3,"Medium",violation_rating=4,"High",violation_rating=5,"Critical"))
| where (severity="Medium" OR severity="High" OR severity="Critical")
| timechart span=1d count by severity

Very weird because query1 & query2 do NOT have any "Critical" intead of "critical" (I added to check if there is any value), but I found out that query2 has also a severity field that I do not need/use.

I tried your query but does not give the waited output, so I tried to lowercase everything, but result is that I have only query1 now as output...

I am wondering if maybe I can use "if(isnull(severity), eval xxxx, severity)" to fill the NULL values or something like that

One query gives me 715 events, and the other 3985 events, so I need to have around 4700 events after aggregation

I am trying to use another field called "mySeverity" to get the filter I need:

(sourcetype="xxx" request_status=blocked violation_rating>=3) OR (sourcetype="yyy" severity=medium OR severity=high OR severity=critical)
| eval mySeverity = if(isnull(severity), coalesce(severity,case(violation_rating=3,"medium",violation_rating=4,"high",violation_rating=5,"critical")), severity)

This still does not work because the severity field is not null as I expected but with propercase value I need to get rid: