I have following search:

index=pfsense OR index=otherindex verdict=pass | stats values(destip) AS fieldA, values(otherfield) AS fieldB, values(_time) as fieldC | mvexpand fieldA | mvexpand fieldC | eval matching=if(match(fieldA,fieldB),"1","0") | where matching > 0 | eval fieldC=strftime(fieldC,"%d/%m/%y %H:%M:%S") | table fieldA, fieldB, fieldC, verdict | rename verdict AS "Firewall verdict", fieldA AS "Destination IP", fieldB AS "otherfield", fieldC AS "Event time"

My problem is that verdict (as pass or block) which should be per search now only for "pass" does not follow till table. If I remove the verdict - it works, just without telling to select only passed events. The fields do exist.

Any idea how to make search working so that I can filter the whole search by verdict?