no need to join, try this:

index=xyz event="NEAT-IN" platform="APNS"  OR event="push*" 
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(event="push*")) AS count_push by platform, batch

cheers, MuS

@Mus Executed the query but count_push is coming as zero . Looks like splunk does not do count(eval(event="push*"))

or try this:

index=xyz event="NEAT-IN" platform="APNS"  OR event="push*" 
 | stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(if(match(event, push) , 1, 0 ))) AS count_push by platform, batch

Now both counts are coming as 578.

Query used:
index=xyz event="NEAT-IN" platform="APNS" OR event="push*"
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(eval(if(match(event, push) , 1, 0 ))) AS count_push by platform

The output is 578,578 . This is not correct @MuS.

It should be 578,488

Any Idea what is happening.

NEAT-IN

<167>1 2014-12-14T18:23:49.908-07:00 x.y.com neat 901 apns [meta@28281 sequenceId="69599" sysUpTime="1109890868"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418606629897","platform":"apns","alertId":"1404841346","appId":"appId","args":{"time":"1418606629788","batch":"48288","tms_id":"tmsId","src":"src"},"deviceToken":"devToken","alert":"Exciting Game"}

pushApns

<167>1 2014-12-14T18:23:49.909-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="71272" sysUpTime="1109890867"][analytics@28281 event="pushApns" platform="APNS" outcome="0" errorCode="0" errorDesc="Push to apns success" errorContext="TCP-SSL" operation="PUSH_APNS" opTime="0" startTime="1418606629908" appId="appId" deviceToken="devToken" args="{\"time\":\"1418606629788\",\"batch\":\"48288\",\"tms_id\":\"tms_id\",\"src\":\"src\"}" txId="2099269910"]

this should provide the correct count:

index=xyz event="NEAT-IN" OR event="pushApns" platform="APNS" 
| stats count(eval(event="NEAT-IN")) AS count_NEAT count(event="pushApns") AS count_push

Why not the previous one.

because count(event="pushApns") is not the same like count(eval(if(match(event, push) , 1, 0 )))
the first will match only the event field which contains pushApns but the later will match any event field containing push like foopush or pushbaz or pushApns

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

But event can be only pushApns or NEAT-IN

No, can you provide some samples of your events?

could be try it without the star/wildcard and use the value you need instaed

Not understanding how the count got goofed up

I have 2 searches and there counts are different. I want to find the rows which don't join.

event="NEAT-IN" has 578 count
event="pushApns" has only 488 count
I want to know which 578-488 are the missing ones and do further query on them