The final part of your search is out of order. You are using dedup on column/username. If the data from search 1 does not have those fields, those events will disappear. Also you are searching status=success, which will only appear in search 2 data, so you should finish the search something like this | fields - fn nv fieldname ... | eval txid=coalesce(txid, tid) | stats values(*) as * by txid ``` Filter success items ``` | where status="Success" ``` Break out columns ``` | rex field=dbQueries "(?i)select\s+(?<columns>.*)\s+from" | eval column=split(columns,", ") ``` Now get the column we want ``` | eval column = mvfilter(column="emp.last_updated_date") | dedup column username i.e. combine the two event types filter out success rex out columns and split them There is no point in mvexpand and then searching for the last_updated_date to remove all the other expanded columns, all you need to do it filter the one you want. dedup may or may not be necessary     ... View more

Sorry, tsid and txid are the same I am referring to. ^_^ I will refine my syntax to use your line. Thanks again  ... View more

Got it, I see something new.  One step at a time.  Just started Splunking for less than 7 days.   Hopefully one day can be as powerful as you all.  So I can also whisper without too much sweat!  ^_^ Later. ... View more