Why does the merged query look nothing like the two original queries?  I expected something more like this: (index="main" OR index="c3d_infra") sourcetype="aws:description" aws_account_id="*" region="*" source="*:ec2_instances" | search private_ip_address="172.19.122.6" | append [ search index=c3d_security host=ip-172-23* rule=corp_deny_all_to_untrust NOT dest_port=3031 | table src_ip dest_ip transport dest_port application ] | stats values(*) as * by <<some field(s) common to both searches>>    ... View more

Hi you are needing one or more common fields which has same values on both queries. After that you can combine those together e.g. with stats (or append or even join). Here are some instructions how you can do it. https://conf.splunk.com/files/2020/slides/TRU1761C.pdf https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 r. Ismo ... View more

Which part of the raw event is the AWS instance id you are trying to extract? ... View more