My splunk query able to get the required results using below query.  After running the query, I get NULL values in one of the column. As per business requirement i need to replace the NULL values to blank or some other values in one of the column name acd2.

index=application1 "ProcessWriteBackServiceImpl" "userList" sourcetype="intradiem:iex:ewfm" source="E:\app1\\appsec\\appsec1\\test.log" | rex field=_raw "^(?:[^\[\n]*\[){2}(?P\w+)[^=\n]*=\[(?P\d+)" | eval empid = substr("000000", 0, max(9-len(empid), 0)) . empid | search actiontype="*" empid="*" | stats count by actiontype, empid, _time | table actiontype, empid, _time | join type=inner empid [search index="*" earliest=-24hr latest=now source="D:\\app2\\app_data.csv" | rex field=_raw "^(?P[^,]+),(?P\w+),(?P[^,]+),(?P[^,]+),(?P\d+)\,(?\w+)\,(?P[^,]+),(?P\w+)" | search empid="*" msid="*" muid="*" muname="*" acd="*" acd2="*" lastname="*" firstname="*"] | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time, actiontype, empid, muid, muname, acd,acd2, lastname, firstname

output results

Timeactiontypeempidmuidmunameacdacd2lastnamefirstname 1 2024-19-04 08:10:18 Break 0000000 3302 test 55 NULL sample name sample name 2 2024-19-04 08:14:41 Break 0000000 6140 test 55 NULL sample name sample name 3 2024-19-04 08:35:07 Break 00000000000 1317 test 55 NULL sample name sample name 4 2024-19-04 08:25:41 Break 000000000 1106 test 55 NULL sample name sample name 5 2024-19-04 07:25:19 0 000000000000 6535 test 55 96 sample name sample name