I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful! This is why my first reply hinted that rest...
See more...
I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful! This is why my first reply hinted that restructuring the searches could be a better option. You did mention each of the two macros were simple index searches with different sourcetype constraints. It is much more efficient to combine the two searches into one, then stats over their differences. If you observe how the search I constructed before had to manufacture a field named "source" (which obviously is not your data field named source), you would draw a parallel. Based on pseudo code of your macros, here is an example of what you can use instead: index=sap sourcetype IN (1A*, 2A*)
| eval sourcetype = if(match(sourcetype, "^1A"), "1A...", "2A...")
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype) < 2 AND sourcetype == "1A..."
| stats dc(host) as count_diff