Hi, We have following query - index=yyy sourcetype=zzz "RAISE_ALERT" logger="aaa" | table uuid message timestamp | eval state="alert" | append [SEARCH index=yyy sourcetype=zzz "CLEAR_ALERT" logger="aaa" | table uuid message timestamp | eval state="no_alert" ] | stats latest(state) as state by uuid But this query is not showing anything for state, it shows only uuid. Query before and without latest works just fine. Here is screenshot of result of everything before stats - If we replace stats latest with stats last, we can see uuid and state, its just not the last observed value of state for that uuid. Any idea as to why this can happen? Update : Figured out the issue with this - the fields are being extracted using table, but there is no way for query to figure out the timestamp using extracted fields. Fields extraction is not needed for our use case anyway, removing both table clauses makes the query work. This is the updated query, this works - index=yyy sourcetype=zzz "RAISE_ALERT" logger="aaa" | eval state="alert" | append [SEARCH index=yyy sourcetype=zzz "CLEAR_ALERT" logger="aaa" | eval state="no_alert" ] | stats latest(state) as state by uuid
... View more