Hi, I have simplified my query as much as possible. Basically I am looking at two issues with this: 1: I cannot perform the joins because a subsearch can only contain 50.000 results, which is not enough to make my query join properly (potential matches are truncated). A "stats" should be able to do this instead, but I am not sure how to replace both the joins (also considering the next issue)... 2: In my example, I have the first join based on the fieldname "name". In "SourcetypeA" that "name" is a single, unique value. In "sourcetypeB" however, that "name" is part of an array called "names" which contains multiple names, one of which is the "name" value from "SourcetypeA". An mvexpand on "SourcetypeB" would resolve that issue, but that creates even more subsearch results (it breaks up event in multiple events) which makes issue number 1 above even worse. How can I get around both these issues? index=indexA sourcetype=sourcetypeA | join name [search sourcetype=sourcetypeB | fields name fieldB] | join fieldB [search sourcetype=sourcetypeC | fields fieldC ] | table name fieldB fieldC
... View more