Hi Max,
I would suggest not using a join, maybe a transaction can assist you better. You basicaly can search matching the events of source 1 and source2 with something like
(search1) OR (search2)
and then simply transaction by SessionId. The final search would be smth like this:
(search1) OR (Search2) | eval Search1Time=strptime(EventTime,"%Y-%m-%d|eval Search2Time=strptime(EventTime,"%Y-%m-%d %H:%M:%S.%NZ")| transaction SessionId | where Id!=" "| stats dc(Id) by Service
Hope this helps!
... View more