Hi.

i have a search which need to combine fields from two index. i know i can use "Join" but it is too costly thats why i start looking into the "Append" command.

The question is i found i have to enter the field value in the "append search" to get the correct final table, if i dont put the value in the append search, this field will missing in the final table. Below i have attached some of the code.

index=year* Code=12 OR Code=13 Number=12345678
| rex ****************
| rex ****************
| eval *******************
| eval 001=xxxxx
| append
[search index=month* Word=xys OR word=ayd Number=12345678| fields + day week time]
| rex ****************
| rex ****************
| eval *******************
| eval 002=xxxxxxx
| stats
first(001) as 001
first(002) as 002
by Number
|table 001 002

The code above works find but once i remove the Number=12345678 in the append search, the 002 field which is from the Append search cannot show in the table, and all the remaining events in index=month* will show in the table. is it possible to solve this? thanks a lot!!