Hi, I have 2 sample logs and I need to combine them into 1 query to grab the "Accesses" values, Due to the log format differences, I have combined 2 different queries using append/sub-search. However I noticed, the subquery results will shows up in the "CE" field, but does not show up in "TC" field . Or is there another way I can do to capture the Accesses value of these 2 log? index=nginx (("SourceName=Microsoft Windows security auditing" AND EventCode=4663 AND "Message=An attempt was made to access an object" AND Object_Name="C:\\Program Files\\nginx-1.18.0\\conf\\*.conf" AND ("Accesses:*")) OR (SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager AND EventCode=21)) | eval Date = strftime(_time, "%Y-%d-%m") | eval Hostname = upper(host) | eval Date = strftime(_time, "%Y-%d-%m") | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | rex field=Message "Accesses:\s+(?P<Action>[^<]+)"\s+Access | append [ search index=nginx ((EventCode=4656 Object_Name="C:\\Program Files\\nginx-1.18.0\\conf\\*.conf" Process_Name=C:\\Windows\\explorer.exe) OR (SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager AND EventCode=21)) | rex field=Message max_match=0 "Accesses:\s+(?P<Action>[^>]+)"\s+Access\sReasons] | rex field=Action mode=sed "s/\s{2,}/\n/g" | strcat Action "-> " Object_Name CE | eval TC = mvzip(Time,'CE') | stats values(TC) as TC latest(Source_Network_Address) as "IP Address" by Date index Hostname | where isnotnull(TC) | mvexpand TC | makemv TC delim="," | eval Time=mvindex(TC, 0) | eval "Events"=mvindex(TC, 1) | fields Time Events Hostname "IP Address" | where Events' != "-> " Thank you ... View more