Hi all, Currently I have the following string to make a table with some values which belong to different events but they have a field in common:   index="*MYindex*" AND container_name="Mycontainer_name"  AND (message="*search1*" OR message="*search2*" OR message="*search3*") AND NOT message="*search4*" | rex field=_raw "xyz(?<search1>[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*" | rex field=_raw "xyz(?<trace>[a-z0-9]+)*" | rex field=message "xyz(?<search3>[0-9a-zA-Z\s]+),*" | rex field=_raw "xyz(?<search2>[A-Za-z0-9]+)*" | stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace   This generates the following table grouping the events with the same trace. I expect to have empty cells depending of the SEARCH2 and SEARCH3, so it's fine. trace SEARCH2 SEARCH3 SEARCH1 0022f6381a597f0e EXOL 200 OK   004d6a8d0b2c3e7c EXRS     0052ad6e42b4b9ad EXOL 200 OK   008643fdaca08cd5 EXOL 200 OK   008f58384f6d582f EXOL 400 BAD FORMAT ERROR   What I'm looking for is to filter these results based on an additional search, which is a different event but it has the same trace:   index="*MYindex*" AND container_name="Mycontainer_name"  AND (message="*search1*" OR message="*search2*" OR message="*search3*" OR message="*search5*" ) AND NOT message="*search4*" | rex field=_raw "xyz(?<search1>[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*" | rex field=_raw "xyz(?<trace>[a-z0-9]+)*" | rex field=message "xyz(?<search3>[0-9a-zA-Z\s]+),*" | rex field=_raw "xyz(?<search2>[A-Za-z0-9]+)*" | rex field=_raw "xyz(?<search5>[a-zA-Z]+),*" | where search5="true" | stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace   search5 can only be "true" or "false" but the table applying the filter is empty, only showing the trace field: trace SEARCH2 SEARCH3 SEARCH1 0022f6381a597f0e         How I can filter the events applying the condition?   Thanks for you time. ... View more