Thanks for replay @venky1544 , I did remove the coalesce and changed the last line to: | transaction src_ip |eval endtime=_time+duration |eval end_time=strftime(endtime,"%Y-%m-%d %H:%M:%S") |table src_ip _time end_time Username properties.ipAddress This gives me rows with single values of src_ip from msvpn index, time, end_time and user which is great. However I would like to match those IPs to the list of IPs from msazure index. So let say I have 4 events with ip x.x.x.x (properties.ipAddress) from msazure index occured at 11.30, 11.55, 12.30, 12.45. I want to display all 4 of them in the table (together with username, host, etc). and then match src_ip from msvpn index to those events. So if I have 2 IPs in msvpn index between 11.30 and 12.45 I would like to match them closest to the rows/events from the first index. Then perform comparison etc on the data. When I placed properties.ipAddress at the end of |table it does not display any data.
... View more