Perhaps a better title would be: "Find an error in one system and then find errors close in time in a 2nd system".  In my case, both search strings include the word 'Error' and the values are text to indicate what the errors are about. Two Searches:   index=first_index sourcetype=first_source error 500 | rex field=_raw "string(?<REF_VAL>\d+)" | table _time REF_VAL   Output: _time    REF_VAL 2024-06-2024 10:48:04.003   Avalue   index=second_index soucetype=second_souce error somestring | rex field=_raw "ERROR - (?<ERR_MTHD>\S+)" | table _time ERR_MTHD   Output: _time    ERR_MTHD 2024-06-24 10:48:51.174  Method1text 2024-06-24 10:48:51:158  Method2text Output that I would like:  EVENT_TIME      REFERENCE_VAL      RELATED_TIME      RELATED_VAL 2024-06-2024 10:48:04.003   Avalue 2024-06-24 10:48:51.174  Method1text 2024-06-2024 10:48:04.003   Avalue 2024-06-24 10:48:51:158  Method2text ... View more

You are correct, Thanks for the solution:  The names must be in quotes AND they are case sensitive. ... View more

Sending thanks to ITWhisperer ... View more