Hi @karthi2809,

as I said in the previous answer: don't use join, Splunk isn't a DB use stats or something similar to this

index="xxx" applicationName="api" (environment=$env$ timestamp correlationId trace message ("Ondemand Started*" OR "Expense Process started") OR (trace=ERROR) OR (message="*Before Calling flow archive-Concur*")
| rename sourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as Tracepoint message as Message
| eval JobType=case(like('Message',"%Ondemand Started%"), "OnDemand", like('Message',"Expense Process started%"), "Scheduled", true(), "Unknown")
| eval Message=trim(Message,"\"")
| rename correlationId as CorrelationId traceas TracePoint message as StatusMessage
| rename 
   correlationId AS CorrelationId 
   content.loggerPayload.archiveFileName AS ArchivedFileName
| stats
   earliest(Timestamp) AS Timestamp
   values(Tracepoint) AS Tracepoint
   values(JobType) AS JobType
   values("FileName/JobName") AS "FileName/JobName"
   values(Message) AS Message
   values(StatusMessage) AS StatusMessage
   values(ArchivedFileName) AS ArchivedFileName
   BY CorrelationId

in other words: put all the searches in OR in the main search, use all the renames and evals, and at east correlate results using the join key in a stats command.

If you want some additional field, add it to the stats command.

Ciao.

Giuseppe