OK, so you want to find events either where id is XYZ AND finished duration is > N OR  id is XYZ OR finished duration is > N Assuming it is AND then try this source=abc type=Changed ((msg="consumed event" AND event_id="*") OR (msg=" finished processing" AND duration>1) | rename event.data{}.id as id | where id="XYZ" | stats avg(duration) Not totally sure if event_id and event.data{}.id are the same thing and if your finished processing events will have the event.data.id field - if not then you have to change the where clause. Without seeing your data, it's not clear if the above will give you what you want, but the principle is the same in that you just need to combine the data types in a single query, so you have OR for the msg=XX statements. The stats command needs to combine the events so that it can determine if there are both events for the result so you don't get events that ONLY have duration > 1 If you can give an example of the 2 events you want to collect together that would help

Sorry @bowesmana i just changed the Query #1 slightly: Query #1 source=abc type=Changed msg="consumed event" event_id="*" | rename event.data{}.id id | where id="XYZ" Query #2 source=abc type=Changed" msg=" finished processing"  duration>1 | stats avg(duration) I want to join the two above queries and at the end show the avg(duration). duration is a field from the second query. Thanks!

Thanks @bowesmana  for your help. So here are two queries: Query #1 source=abc type=Changed msg="consumed event" event_id="*" |  Query #2 source=abc type=Changed" msg=" finished processing"  duration>1 | stats avg(duration) I want to be able to do the above two searches in one. based on the event_id being the same and at the end displaying the average of the duration which is the field from the second query. Thanks!

If you want to get a lot of flexibility with maps, then use the maps+ vizualisation https://splunkbase.splunk.com/app/3124 You have a number of options for defining colour by adding your colour values to the rows of your results  

You need to change your search a bit index="index1" | lookup lookup1 ip_address as src_ip OUTPUT ip_address as address | where cidrmatch(address, dest_ip) i.e. you don't really need OUTPUTNEW unless you want to prevent an existing address field from being overwritten, but then the where clause uses the cidrmatch command where you give the CIDR range as the first parameter. This assumes that your lookup1 is a lookup definition and you have defined the match type as CIDR(ip_address)  

You could start with something like this source=abc type=Change (msg=" consumed" OR msg=" finished") event_type="*" | stats values(msg) as msgs by event_type | where mvcount(msgs)=2 where you search for all events with either event type and then only find those that have both consumed AND finished. It will depend on what you want to do with the results as to what your search will look like - can you say what your goal is with the results?

Hi with that data there shouldn’t be any needs for anything else than default line breaker. It seems to be an event per line. Also \P should be just P as those two has totally different meanings. r. Ismo