Hi ,

My query is like below,

 index=s sourcetype=Fire
| fillnull value=""
| eval OS=case(like(OS,"%Windows%"),"Windows",like(OS,"%Linux%"),"Linux",1=1,"Others")
| eval group = case(OS="Windows","Windows Host Intrusion Detection Prevention Agents Not Reporting",OS="Linux","Linux Host Intrusion Detection Prevention Agents Not Reporting") | search Environment="Production" OR Environment="PSE"
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| eval Compliance_Status=case(Compliance_Status="Compliant" OR Compliance_Status="Excluded from reporting, yet is reporting","Compliant",Compliance_Status="Noncompliant" OR Compliance_Status="Not Reporting" OR Compliance_Status="Error","NonCompliant") 

| append
[| search index=s  sourcetype=Work
| fillnull value=""
| eval group = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting")
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| eval Compliance_Status=case(Compliance_Status="Compliant" OR Compliance_Status="Excluded from reporting, yet is reporting","Compliant",Compliance_Status="Noncompliant" OR Compliance_Status="Not Reporting" OR Compliance_Status="Error","NonCompliant") ]

| append
[| search index=c sourcetype=cloud
| fillnull value=""
| eval group = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance")
| search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE"
| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant ]

|stats count by group

The last append is not taken into count ,since Compliance and Non Compliance are not in Compliance_Status field.

| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant

Is there a way to bring them to new field Compliance_Status ,which will help to show after stats by group.