Would an aggregated resulting dataset be sufficient for your ask? I tried to do what I think you are asking by utilizing a stats command to aggregate data from the two indexes together but has just a compressed overview of the analysis. Example of output with simulation data: To achieve this with the base searches you provided would look like this. (index=sith broker sithlord!=darth_maul) OR (index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")) | fields + _time, index, Jname, saber_color, domain, master, strengths, mentor, skill, mission, Sname, strength, teacher, actions | tojson str(saber_color) str(domain) str(master) str(actions) str(mentor) str(mission) str(skill) str(strength) str(strengths) str(teacher) output_field=unique_field_combos_json | fields + _time, index, Jname, Sname, unique_field_combos_json | eval name=coalesce('Jname', 'Sname') | stats min(_time) as earliest_event, max(_time) as latest_event, count as total_count, count(eval('index'=="jedi")) as jedi_count, count(eval('index'=="sith")) as sith_count, values(index) as indexes, dc(index) as dc_indexes, latest(eval(case('index'=="jedi", unique_field_combos_json))) as jedi_unique_field_combos_json, latest(eval(case('index'=="sith", unique_field_combos_json))) as sith_unique_field_combos_json by name | eval scenario=if( 'dc_indexes'==1, case( 'indexes'=="jedi", "Jedi Only", 'indexes'=="sith", "Sith Only" ), "Jedi and Sith" ) | foreach *_unique_field_combos_json [ | eval unique_field_combos_json=if( isnotnull('<<FIELD>>'), mvappend( 'unique_field_combos_json', json_set('<<FIELD>>', "type", "<<MATCHSTR>>") ), 'unique_field_combos_json' ) ] | fields - *_unique_field_combos_json | mvexpand unique_field_combos_json | fromjson unique_field_combos_json | fields - unique_field_combos_json | fields + name, type, scenario, total_count, jedi_count, sith_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | stats values(*) as * by name | fields + name, type, scenario, *_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | eval scenario_sort=case( 'scenario'=="Jedi and Sith", 1, 'scenario'=="Jedi Only", 2, 'scenario'=="Sith Only", 3 ) | sort 0 +scenario_sort | fields - scenario_sort   To generate the simulation data was a doozy since I dont have a datagen setup right now but was able to put something together using build in splunk commands. SPL used to simulate for reference. | makeresults count=1000 | eval low=1, high=[ | makeresults | eval index="sith", fields_to_gen=split("Sname|saber_color|strength|teacher|actions", "|") | append [ | makeresults | eval index="jedi", fields_to_gen=split("Jname|saber_color|strengths|mentor|skill|mission|master|domain", "|") ] | mvexpand fields_to_gen | fields - _time | eval value_format=if( match('fields_to_gen', "^[A-Z]name$"), "name", 'fields_to_gen' ) | rename fields_to_gen as fieldname | tojson str(fieldname) str(value_format) output_field=field_format_json | fields + index, field_format_json | stats values(field_format_json) as field_format_json by index | eval field_format_json_array="[".mvjoin(field_format_json, ",")."]" | fields - field_format_json | streamstats count as index_number_assignment | stats max(index_number_assignment) as index_count | return $index_count ], rand=round(((random()%'high')/'high')*('high'-'low')+'low') | fields - low, high | rename rand as index_number_assignment ``` distribute timestamps ``` | streamstats count as iter | eval _time=now()-('iter'/10) | join type=left index_number_assignment [ | makeresults | eval index="sith", fields_to_gen=split("Sname|saber_color|strength|teacher|actions", "|") | append [ | makeresults | eval index="jedi", fields_to_gen=split("Jname|saber_color|strengths|mentor|skill|mission|master|domain", "|") ] | mvexpand fields_to_gen | fields - _time | eval value_format=if( match('fields_to_gen', "^[A-Z]name$"), "name", 'fields_to_gen' ) | rename fields_to_gen as fieldname | tojson str(fieldname) str(value_format) output_field=field_format_json | fields + index, field_format_json | stats values(field_format_json) as field_format_json by index | tojson str(index) str(field_format_json) output_field=json | streamstats count as index_number_assignment | fields + index_number_assignment, json ] | fromjson json | fields - json, index_number_assignment | eval json=json_object() | foreach mode=multivalue field_format_json [ | eval fieldname=spath('<<ITEM>>', "fieldname"), json=json_set(json, 'fieldname', spath('<<ITEM>>', "value_format")."_") ] | fields - field_format_json | spath input=json | fields - json, fieldname | fields + index, * | foreach *name [ | eval low=1, high=5, rand=round(((random()%'high')/'high')*('high'-'low')+'low'), <<FIELD>>='<<FIELD>>'.'rand' | fields - low, high, rand ] | foreach * [ | eval low=1, nested_high=10, nested_rand=round(((random()%'nested_high')/'nested_high')*('nested_high'-'low')+'low'), high='nested_rand', rand=round(((random()%'high')/'high')*('high'-'low')+'low'), <<FIELD>>=if( NOT match("<<FIELD>>", "[A-Z]name$") AND NOT "<<FIELD>>"=="index", '<<FIELD>>'.'rand', '<<FIELD>>' ) | fields - low, high, rand, nested_high, nested_rand ] | eval Jname=if( 'index'=="jedi" AND 'Jname'=="name_1", "name_unique_jedi", 'Jname' ), Sname=if( 'index'=="sith" AND 'Sname'=="name_2", "name_unique_sith", 'Sname' ) ``` (index-=sith broker sithlord!=darth_maul) OR (index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")) | fields + _time, index, Jname, saber_color, domain, master, strengths, mentor, skill, mission, Sname, strength, teacher, actions ``` | tojson str(saber_color) str(domain) str(master) str(actions) str(mentor) str(mission) str(skill) str(strength) str(strengths) str(teacher) output_field=unique_field_combos_json | fields + _time, index, Jname, Sname, unique_field_combos_json | eval name=coalesce('Jname', 'Sname') | stats min(_time) as earliest_event, max(_time) as latest_event, count as total_count, count(eval('index'=="jedi")) as jedi_count, count(eval('index'=="sith")) as sith_count, values(index) as indexes, dc(index) as dc_indexes, latest(eval(case('index'=="jedi", unique_field_combos_json))) as jedi_unique_field_combos_json, latest(eval(case('index'=="sith", unique_field_combos_json))) as sith_unique_field_combos_json by name | eval scenario=if( 'dc_indexes'==1, case( 'indexes'=="jedi", "Jedi Only", 'indexes'=="sith", "Sith Only" ), "Jedi and Sith" ) | foreach *_unique_field_combos_json [ | eval unique_field_combos_json=if( isnotnull('<<FIELD>>'), mvappend( 'unique_field_combos_json', json_set('<<FIELD>>', "type", "<<MATCHSTR>>") ), 'unique_field_combos_json' ) ] | fields - *_unique_field_combos_json | mvexpand unique_field_combos_json | fromjson unique_field_combos_json | fields - unique_field_combos_json | fields + name, type, scenario, total_count, jedi_count, sith_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | stats values(*) as * by name | fields + name, type, scenario, *_count, saber_color, domain, master, actions, mentor, mission, skill, strength, strengths, teacher | eval scenario_sort=case( 'scenario'=="Jedi and Sith", 1, 'scenario'=="Jedi Only", 2, 'scenario'=="Sith Only", 3 ) | sort 0 +scenario_sort | fields - scenario_sort

Checked, but seems there are some other issues. But the 'Uncaught Exception' error really doesn't help... Checked the splunkd log and python log as well, nothing special.... Contacted splunk support, until now, no update on this issue yet.

Do not treat structured data such as XML as string text is my usual advice.  Splunk's built-in routines designed to process XML (e.g., spath) is much more robust than any regex you can construct. If you have difficulty with using spath and such, post sample/mock data (anonymize as needed) and explain what search you use and what result you get, how the result is different from your desires.

   I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful! This is why my first reply hinted that restructuring the searches could be a better option.  You did mention each of the two macros were simple index searches with different sourcetype constraints.  It is much more efficient to combine the two searches into one, then stats over their differences.  If you observe how the search I constructed before had to manufacture a field named "source" (which obviously is not your data field named source), you would draw a parallel. Based on pseudo code of your macros, here is an example of what you can use instead: index=sap sourcetype IN (1A*, 2A*) | eval sourcetype = if(match(sourcetype, "^1A"), "1A...", "2A...") | stats values(sourcetype) as sourcetype by host | where mvcount(sourcetype) < 2 AND sourcetype == "1A..." | stats dc(host) as count_diff

I like it. I added some sed commands to pull out the parenthesis as it was causing issues searching once the values were passed via token. but once I did that the rest of the panels worked. Thanks!  

Hi @Rajkumar.Varma, There might be a way of doing it. You can check out AppDynamics APIs here - https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics You can also try contacting Support How do I submit a Support ticket? An FAQ if you want to dive deeper into the report question.

Hi @tharun.santosh, Unfortunately, Support is only available to customers with a paid license, which is why I suggested filling out that form and getting in touch with Sales. I don't know what their SLA is with a follow-up. 

Hi @Tomasz.Nawojczyk, Extensions moved to an Open Source Model in late 2021. Since the Community has not chimed in yet, you may want to try contacting Support or reaching out to your AppD Rep. https://docs.appdynamics.com/paa/appdynamics-support-advisories/support-advisory-changes-to-extensions-support-model How do I submit a Support ticket? An FAQ 

Check out the format command.  It will put the available fields into a sequence of OR clauses. index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | fields MSGID | format  

Hi @gcusello  I already mention right If condition is "Offline" alert mail need to be sent (only one alert, rest all alert need to be suppressed.) If condition is become "online" alert needs to be sent (only one alert, rest all alert need to be suppressed.)   This search will run every 5 min and search the result for the past 5 min. This is my requirement... Please guide me.

Hi @parthiban, run this search in the search dashboard of the app where you want to store your alert. Be sure to use the correct time period. Then save it as an alert, adding the information for alert execution (scheduling) and actions (email or other). Ciao. Giuseppe P.S.: Karma Points are appreciated