Hi, We are looking to join two different soucretype which is given below 1- first source type for abc(In this soucetype it contains all server list) sourcetype=abc AlertName IN ("Health Service Heartbeat Failure", "Unexpected shutdown Event ID XXXX") | sort _time | table ServerName, AlertName ,AlertTriggered | dedup ServerName, AlertName ,AlertTriggered 2- Second source type for xyz(In this source type list contain only selective server i.e suport) sourcetype=xyz StatusValue IN(blue) Company IN("Support") | sort _time desc | dedup ManagementGroup , ServerName , _time | table ManagementGroup, ServerName, StatusValue, _time __________________________________________________________- we looking for combine syntax on which we view data like (serverName(support), Event ID includes heartbite Failure, Start time of event, End time of event). I am looking for your response Thanks in advance _
... View more