I have set of hosts that are installed with different versions of software but logging to the same index, and I need to create a report based on specific versions. Here is an example set of data that I have to deal with. host msgCode msgText qty A 101 1.0.0   A 103 Nut 48 A 103 Widget 289 B 101 1.1.0   B 103 Nut 69 B 103 Widget 367 C 101 1.0.0   C 103 Nut 93 C 103 Widget 433 D 101 1.0.3   D 101 Nut 74 D 103 192 E 101 1.0.0   E 103 Nut 88 E 103 Widget 225 Given this set of data, I would like to get the sum of qty for the hosts that have msgCode=1.0.0. The caveat on this is that msgCode 101 is logged sporadically every couple of days, and when the host gets updated with the newer version,  so I only want to use the most recently logged value as is the case with host B. As such, the result should be something like the following which only sum qty values from hosts A, C E: Nut 229 Widget 947   I can do sum of all qty, but I am not sure how I can filter out host B from it. I was doing something like the following, but then, I just get the result from the sub query.     index=myIndex | eventstats sum(qty) by msgCode as partSum | table msgCode, partSum | join host type=inner [ search index=myIndex msgCode=101 msgText=1.0.0 earliest=-3d | stats count by host ]   ... View more