Replace your stats with these - | stats values(Image) as Image, values(sourcetype) as sourcetype, values(source_port) as source_port by source_address, destination_address, destination_port | search match(sourcetype,"pfsensefirewall") ... View more

The more effective solution comes with some serious problems. We don't currently have the exact same basis of data in both sourcetypes. When I'm using the stats search the datasets are merged eventhough there often aren't two matchind entries. I only want them to show up if there are two matching entries. I looked at all the documentation I could find about the coalesce method but it does not seem to be possible, is it? ... View more

Technically, you can have mulitple EXTRACT directives in your props pointing to corresponding stanzas in transforms. However, the risk, in your example, is if ICMP logs have a comma in the data, it will be extracted into a field. Your better option would be to keep all the data in the same index but separate sourcetypes (TCP, UDP, ICMP). This will give your more flexibility. ... View more