Hey,

i'm trying to merge/join 2 searches into 1, and create a table of the data.

this is my starting query:

index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla | join type=left max=1 [search index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla2] | table _time,ID,field1,field2,field3,field4,field5

with this query i can get the minutely data.

what i need is an hourly data, something like timechart span=1h does.
but my problem is that i need an hourly data for every hour for fields1-5, so timechart is not good for me.
(e.g i need timechart max(avg(field1),field2,...,field5) by ID but timechart supports only one field)

i have tried using bucket like this:

index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla | join type=left max=1 [search index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla2] | bucket _time span=1h | table _time,ID,field1,field2,field3,field4,field5

but what i get is the same time for all the lines.

my wish is to have something like this:
index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla | join type=left max=1 [search index=myapp source="mysource" earliest=1477810800 latest=1477821600 | extract REPORT-blabla2] | table _time,ID,field1,field2,field3,field4,field5 | timechart avg(field1),avg(field2),avg(field3),avg(field4),avg(field5) by ID span=1h

bu again, timechart does not support multiple fields.

so my question is:
1. how to merge 2 searches into one large table?
2. how to make the span of that large table become 1h?

Thank you!!