Hi @gcusello 

Amazing. This works. Thanks

I have Another query: how can I print those field values from subsearch that are not in the main search?

In this case the results of the main search is a superset of the subsearch

Hi @darkhorse91 ,

you could use join command but I don't hint because you'll have a very slow search.

Otherwise, you could run something like this:

(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats 
   values(field_retrospective_1) AS field_retrospective_1   
   values(field_retrospective_2) AS field_retrospective_2
   values(field_retrospective_3) AS field_retrospective_3
   values(field_current_1) AS field_current_1
   values(field_current_2) AS field_current_2
   BY my_field

if you want also to add the condition that my_field must be present in both the indexes, you could run

(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats 
   values(field_retrospective_1) AS field_retrospective_1   
   values(field_retrospective_2) AS field_retrospective_2
   values(field_retrospective_3) AS field_retrospective_3
   values(field_current_1) AS field_current_1
   values(field_current_2) AS field_current_2
   dc(indexes) AS index_count
   BY my_field
| where index_count=2

Ciao.

Giuseppe