Try this (index=aws sourcetype=aws:cloudtrail eventName=RebootInstances) OR
(index=aws sourcetype=aws:description source="us-east-2:ec2_instances")
| eval id=coalesce(id, 'requestParameters.instancesSet.items{}.instanceId')
| eval _time=if(sourcetype="aws:cloudtrail", _time, null())
| fields _time userName sourceIPAddress private_ip_address id
| stats values(*) as * by id It searches both data sets. id is then set as either id OR the instanceId in the coalesce statement. _time is set to null if it is the description sourcetype, forcing _time to come from the cloudtrail event fields are then limited to the ones specified stats takes the values of all fields and effectively merges the data on the id field Hope this helps
... View more