Hi @ThuLe, the process to add new Key Indicators is described in Enterprise Security Training. Very quickly, if you want to use one of the already existing KI Searches you have to: Click on Security Posture Dashboard, Click on Edit click on "+" button choose the wanted Indicator click on tick for saving If you want to create your own KI the procedure is more long and it's difficoult to describe here, anyway, as everything in ES you can create it in [Configure > Content > Content Management > Key Indicators]. Ciao. Giuseppe

omg!! sorry for the confusion. 111,222 is correct.  I searched as shown below, and all idexes values ​​are 1.    index IN (A, B)  | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | stats dc(index) as indexes by id  | where indexes=2    Ultimately, I want to find the value that has or_id but does not have ev_id.  The final answer I really want is 333 in the example above.  | was trying to find the case "where count<2",  but I think about it again,  there may be a case where there is an ev_id and an or_id.  Could you please help me further?

Assuming you mean 111 and 222 (not 777 - that's one of the problems with constructed examples!), you could try something like this | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | stats dc(index) as indexes by id | where indexes=2

  no index title or_id ev_id 1 A check 111   2 A check 222   3 A check 333   4 A confirm 444   5 A confirm 555   6 A confirm 666   7 B OK 　 111 8 B OK   777 9 B OK   888 10 B OK   999 11 B NO   123 12 B NO 　 666 13 B NO   234 14 B NO 　 222     Let me give you a specific example again. In the case above, I want to check if the or_id of the event with title "check" in index=a has the same value in the ev_id of index=b. I want to look up or_id or ev_id if they have the same value. In the example, numbers 1 and 7, 2 and 14 are the same, and the value I want to look up is 111,777. Numbers 6 and 12 are the same, but since title 6 is not a check, it is not counted in the results.  

Given your limited construct example, the solution proposed by @yuanliu works. If this doesn't work for your real usecase, please provide more realistic examples showing how the proposed solution does not fit your needs.

Note that when using stats values(*) as * the values aggregation will remove duplicates and you will end with a sorted set of unique values for each field. If you use stats list(*) as * then you will get all values of all fields with each value in sequence in each field from the second data set including duplicates. Note that there is a 100 event limit when using list(). The differentiation is important if you need to keep some kind of correlation between the values of each joined result based on your common key. Note that you can combined these on any number of common keys between the two data sets as there is no concept of primary key as @yuanliu says.