I would use append-stats combination instead of join command, like this your search 1 giving fields id and someField | eval from="search1" | append [search your search 2 giving fields id and someField | eval from="search2"] | stats dc(from) as sources by id someField | where source=1 | fields - sources ... View more

Try this run anywhere search | makeresults | eval _raw="[22/Mar/2018:17:06:23 -0700] id 100 “GET /URL1” 200 276 [22/Mar/2018:17:06:23 -0700] id 101 “GET /URL2” 200 276 [22/Mar/2018:17:06:23 -0700] id 102 “GET /URL3” 200 276" | rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" | eval c=mvzip(id,url) | mvexpand c | rex field=c "(?<id>[^\,]+)\,(?<url>.*)" | table id url In your environment, try <your base search> | rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" | eval c=mvzip(id,url) | mvexpand c | rex field=c "(?<id>[^\,]+)\,(?<url>.*)" | table id url let me know if this helps! ... View more

This can be a start, and you can adjust it as needed: index=some_index_1 OR index=some_index_2 source=some_source1 OR source=some_source_2 | eval status_code_1=if(index=some_index_1, status_code, NULL), status_code_2=if(index=some_index_2, status_code, NULL) | stats values(status_code_1) AS status_code_1, values(status_code_2) AS status_code_2 BY id ... View more