Perhaps if you shared your actual raw unformatted events (anonymised as appropriate) in a code block to preserve any formatting there might be in the event, we might be able to suggest something that might work with your data.

Thank you, but it doesn't work by some reason... ... ... | eval output1=json(output) | eval output3 = json_extract(output1, "data.affected_items{}.id") | table output3   - works fine, but the result in the one row   ... | eval output1=json(output) | spath input=output1 path="data.affected_items{}.id{}" output=output3 | mvexpand output3 | table output3   - shows "No results found."

OK so how do you want them combined e.g. do you want the times from the "unique objectIds" message and "data retrieved for Ids" message to be in the same row by object id? | spath uniqObjectIds{} output=uniqObjectIds | spath uniqueRetrievedIds{} output=uniqueRetrievedIds | spath eventBody.objectIds{} output=eventBodyObjectIds | eval eventBodyObjectIds=if(eventBodyObjectIds=="",null(),eventBodyObjectIds) | eval objectId=coalesce(eventBodyObjectIds,coalesce(uniqueRetrievedIds,uniqObjectIds)) | eval retrievedTime=if(msg=="data retrieved for Ids",time,null()) | eval uniqueTime=if(msg=="unique objectIds",time,null()) | stats values(retrievedTime) as retrievedTime values(uniqueTime) as uniqueTime by objectId

Happy 12th Birthday, posting #107735 ! You're a tween now! Why, it seems like only yesterday we were commenting on how decade-old authentication code for Yum repo consumers makes the current auth wall completely pointless, and how easy it would be to set up a simple yum repo to make enterprise update staging and testing on-premise such a trivial thing. Now it's TWO decades old! Yay! Oh, how you've grown as the technology has aged. Remember all the times we've been told "we're just sorting it with [another group]" and progress went absolutely nowhere? Remember how we sadly pointed out the delayed development against its peers in that regard -- which is still a developmental delay today? This is your year, kiddo. Go on and be adequate!

Hi @ITWhisperer  Below are the raw events  which are need to be displayed in table format in a single row for below events with no common key value {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqObjectIds":["275649"],"uniqObjectIdsCount":1,"msg":"unique objectIds","time":"2023-11-03T19:26:43.672Z","v":0} {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqueRetrievedIds":["275649"],"msg":"data retrieved for Ids","time":"2023-11-06T22:48:03.594Z","v":0} {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"eventBody":{"objectType":"material","objectIds":["275649","108795","1234567","1234568","99999999","888888888"],"version":"all"},"msg":"request body","time":"2023-11-03T05:25:33.508Z","v":0}

Since these come from the same raw event(?) you could regather the fields with a stats command | stats values(*) as * by _raw You may need to add _raw to your list of fields in the table command or use another field which is unique to the original event, e.g. _time

Great Solution! But there was a typo and it disregarded the amount of count. Added a sort to your solution. <your_search> | stats count by user | sort - count | eventstats count as total | streamstats count as current | where current<=0.15*total

Thanks @ITWhisperer the above spath query which worked and was able to form a table view without duplicate. How can i combine two events results in a single row rather than display in two rows ,there is no common key to do stats by it has same source and index only the msg. is different 1.Currently uniqObjectIds,uniqueRetrievedIds are displayed in two rows in a table view,wanted as a single row 2.How to combine multiple event in a single query if there is no common key .   index= "" source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | spath output=uniqObjectIds path=uniqObjectIds{} | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount,uniqObjectIds,uniqueRetrievedIds | sort _time desc     

Hi @gcusello @ITWhisperer  I have same source and index for below two events first event: { [-]    awsRequestId:     hostname:     level: 30    msg: data retrieved for Ids    name:     pid: 8    time:     uniqueRetrievedIds: [ [-    275649    ]    v: 0 } second event: { [-]    awsRequestId:     hostname:     level: 30    msg: unique objectIds    name:     pid: 8    time:     uniqObjectIds: [ [-]      275649    ]    uniqObjectIdsCount: 1    v: 0 } There is no common key in these two events,but want to have in table view 1.Currently uniqObjectIds,uniqueRetrievedIds are displayed in two rows in a table view,wanted as a single row 2.How to combine multiple event in a single query if there is no common key .   index= "" source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | spath output=uniqObjectIds path=uniqObjectIds{} | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount,uniqObjectIds,uniqueRetrievedIds | sort _time desc