You might want to consider more relational database approach since your data seems to have normalized database structure and you want to analyze more. This way you would get a good structured data to play with. index=index1 sourcetype=Error | table err_msg, id, nid
| join type=left nid [ search index=index1 sourcetype=Node | table address, id, resultid | rename id as nid]
| join type=left resultid [ search index=index1 sourcetype=Result | table id , model | rename id as resultid]
... View more