Query #1 is giving fields host,hostGuid and "Days until expire". Your query #2 should contain field host and hostGuid (which it was in previous version). New version has fields customerName, customerGuid,  workspaceName and workspaceGuid, thus there are no matching host/hostGuid causing query to fail. If workspactName and workspaceGuid actually corresponds to host and hostGuid, rename them in query #2 so that they match, like this index=indexname environment=prod | rex "Certificates for server agent will expire in (?<expiry>\d+) days" | stats latest(expiry) AS "Days until expire" BY host environment | sort 0 "Days until expire" | eval host=rtrim(host, "prod.net") | eval host=(host."-prod") |lookup host hostName as host Output hostGuid |table host hostGuid "Days until expire"| eval from="events" | append [ | tstats count from datamodel=datamodelname where `ensure_model_activity` [| inputlookup host where hostGuid=".*" | eval host=hostName."*" | return 10 host] by datamodelfiled.workspaceGuid summariesonly=f allow_old_summaries=t | rename submissions.* as * | lookup workspace workspaceGuid output name as workspaceName currentCustomerGuid as customerGuid | lookup customer customerGuid output name as customerName | table customerName customerGuid workspaceName workspaceGuid | fillnull value="Not Found" | stats count by host hostGuid customerName customerGuid workspaceName workspaceGuid | fields - count | rename workspaceName as host workspaceGuid as hostGuid | eval from="lookup" ] | stats values(customerName) as customerName values("Days until expire") as days values(from) as from by host hostGuid | where mvcount(from)=2 | fields - from ... View more