Good day,

I want to join two indexes to show all the email addresses that the user have that signed in. 

This queries my mimecast signin logs 

index=db_mimecast splunkAccountCode=* mcType=auditLog | dedup user | table _time, user | sort _time desc

Lets say it returns a user@domain.com that singed in.

I want to then join this to show all the info from 

index=collect_identities sourcetype=ldap:query
| dedup email
| eval identity=replace(identity, "Adm0", "")
| eval identity=replace(identity, "Adm", "")
| eval identity=lower(identity)
| table email extensionAttribute10 extensionAttribute11 first last identity
| stats 
     values(email) AS email
     values(extensionAttribute10) AS extensionAttribute10
     values(extensionAttribute11) AS extensionAttribute11
     values(first) AS first
     values(last) AS last
     BY identity

I tried inner join but I do not have anything that match since my results come back as this for my second query