Do you have host & InstallDate fields in sourcetype=uberAgent:System:SystemPerformanceSummary2 and are non null?

Try the below and see if you have some events in common.

index=uberagent (sourcetype=uberAgent:Application:SoftwareUpdateInventory host=*) OR sourcetype=uberAgent:System:SystemPerformanceSummary2 
|stats dc(sourcetype) as c by host,InstallDate  |where c>1

Of course! that is the point! 🙂

The InstallDate is not on sourcetype 2.

Said that, I need my calculations based on the InstallDate values.

How can I do that?

Maybe in this case I should use the JOIN with HOST field that is common to both?

Can not really say without seeing the events. But you may try including the InstallDate in existing stats as values(InstallDate ) as InstallDate . In between, in the currrent search are you getting host and InstallDate as multivalue field or wha'ts the use of mvexpand host and mvexpand InstallDate ?

Thank you for you help on this!

I`ve tried to use values(InstallDate ) as InstallDate in the current stats but got the following error:
Error in 'stats' command: The output field 'InstallDate' cannot have the same name as a group-by field.

if use a separated stats, nothing comes up.

About the mvexpand, I`m using because was the way a found to get the same result as the splitrow in pivot.

See below an example of the events:

InstallDate Machine Name Patch Name ProducName %of CPU %of RAM % of IO
2018-01-01 KB1234 Office

2018-01-01 KB1234 Office

2018-01-02 KB1234 Office

values(InstallDate ) as InstallDate by host (exclude the InstallDate from by clause)

InstallDate Machine Name Patch Name ProducName %of CPU %of RAM % of IO
2018-01-01 SERVERA KB1234 Office null null null
2018-01-01 SERVERB KB1234 Office null null null
2018-01-02 SERVERC KB1234 Office null null null