You didn't illustrate what is the expected results look like. Based on the last stats in your OP, you only want to filter for first, last of people with a leave ticket, not to add any information ab...
See more...
You didn't illustrate what is the expected results look like. Based on the last stats in your OP, you only want to filter for first, last of people with a leave ticket, not to add any information about the ticket. Is this correct? In that case, just extract first and last in the second search and use it as subsearch, like this. index=collect_identities sourcetype=ldap:query [ search index=db_mimecast splunkAccountCode=* mcType=auditLog
|fields user
| dedup user
| eval email=user, extensionAttribute10=user, extensionAttribute11=user
| fields email extensionAttribute10 extensionAttribute11
| format "(" "(" "OR" ")" "OR" ")"
]
[search index=db_service_now sourcetype="snow:incident" affect_dest="STL Leaver"
| dedup description
| rex field=description "Leaver Request for (?<first>\S+) (?<last>\S+) -"
| fields first last]
| dedup email
| eval identity=replace(identity, "Adm0", "")
| eval identity=replace(identity, "Adm", "")
| eval identity=lower(identity)
| stats
values(email) AS email
values(extensionAttribute10) AS extensionAttribute10
values(extensionAttribute11) AS extensionAttribute11
values(first) AS first
values(last) AS last
BY identity Note the extraction of first and last depends on the precise format in description; additionally, it assumes that first and last contains no white space.