Hi @darkhorse91 ,
you could use join command but I don't hint because you'll have a very slow search.
Otherwise, you could run something like this:
(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats
values(field_retrospective_1) AS field_retrospective_1
values(field_retrospective_2) AS field_retrospective_2
values(field_retrospective_3) AS field_retrospective_3
values(field_current_1) AS field_current_1
values(field_current_2) AS field_current_2
BY my_field
if you want also to add the condition that my_field must be present in both the indexes, you could run
(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats
values(field_retrospective_1) AS field_retrospective_1
values(field_retrospective_2) AS field_retrospective_2
values(field_retrospective_3) AS field_retrospective_3
values(field_current_1) AS field_current_1
values(field_current_2) AS field_current_2
dc(indexes) AS index_count
BY my_field
| where index_count=2
Ciao.
Giuseppe
