Hi @darkhorse91, you have to use a subsearch, with the limitation that you cannot have more than 50,000 results from the subsearch, if: the current search is on index=current and runs on the las...
See more...
Hi @darkhorse91, you have to use a subsearch, with the limitation that you cannot have more than 50,000 results from the subsearch, if: the current search is on index=current and runs on the last day, the retrospetive search runs on index=retrospective and the last 30 days, the common field is my_field and it has the same name in both the searches, you could try something like this: index=retrospective earliest=-30d latest=now [ search index=current earliest=-24h latest=now) | dedup my_field | fields my_field ] You have to adapt my approach to your searches. Ciao. Giuseppe