Thanks for reply. Below is my query , where I want to replace join . Same index but sources are different
index="79390-np" sourcetype=np-cache-v2 physicalType="MODULE" currentEoxMilestone="*SALE_DATE*" source="*hw*eox.*"
| join deviceId
[search index="79390-np" sourcetype=np-cache-v2 source="*group_member*" groupId="185524"
| dedup deviceId
| fields + deviceId]
| join deviceId [search index="79390-np" sourcetype=np-cache-v2 source="*device_details*" productFamily!=null ]
| stats count(productId) AS Total by deviceName, productId, deviceIp, swVersion, configTime, inventoryTime
| eval configTime=strftime(strptime(configTime,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d")
| eval inventoryTime=strftime(strptime(inventoryTime,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d")
| rename deviceName as Device, Total as Count, productId as "Product ID", deviceIp as "IP Address", swVersion as Version, configTime as "Config Collected", inventoryTime as "SNMP Collected"
| table Device, "Product ID", Count, "IP Address", Version, "Config Collected", "SNMP Collected"
... View more