@yuanliu Thank you for the in-depth reply. Let me see if I can rephrase the issue with more specificity ( i have to be cautious with divulging data, forgive me if It makes my reply obtuse). In my first search, I am looking for all examples of the string "numberOfRules" and then extracting a different substring (poid) which I am naming field_1: index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*NumberOfRules*" | rex field=_raw "poid=(?<field_1>\d+)" There will NEVER be duplicate values of this field, and I want to table it. Each event returned by this search has another unique value (uid) which also will never be duplicated, and I use this field to join to search 2: index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*upper*" | rename message as field_2] There will often, but not always be multiple events (messages) returned for each unique uid. So, if I search: index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*NumberOfRules*" "*UNIQUE_UID_A*" | rex field=_raw "poid=(?<field_1>\d+)" | table field 1, uid I will only get 1 event, which will table like this: field_A (abcde) uid_A (1234) if I search this: index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*upper*" "*UNIQUE_UID_A*"| rename message as field_2] | table uid, field_2 I will get this table: uid_A (1234) unique_message (first message w/ 1234) uid_A (1234) unique_message second message w/ 1234) uid_A (1234) unique_message third message w/ 1234) what I want is: field_A (abcde) uid_A (1234) unique_message (first message w/ 1234) field_A (abcde) uid_A (1234) unique_message (second message w/ 1234) field_B (fghij) uid_B (5678) unique_message_Y (first message w/ 5678) field_B (fghij) uid_B (5678) unique_message (second message w/ 5678) field_C (klmno) uid_C (9012) unique_message (first message w/9012 what i get is: field_A (abcde) uid_A (1234) unique_message (first message w/ 1234) field_B (fghij) uid_B (5678) unique_message_Y (first message w/ 5678) field_C (klmno) uid_C (9012) unique_message (first message w/9012 this is my current search: index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*NumberOfRules*" | rex field=_raw "poid=(?<field_1>\d+)" | join type=inner uid [ search index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" "*upper*" |rename message as field_2] | table field_1, uid, field_2 @yuanliu what am i doing wrong?
... View more