I have two searches/data sets that I would like to combine into a table, and am not entirely sure on what the correct process of completing the task is. I would like to use the Mandiant indicators/information and another search to look for activity that occurred and getting the data from both into one table with a total count of detected activity. If anyone could provide assistance or a recommendation with this matter it would be much appreciated. First Search (Fields Needed: src_ip, dest, City, Country index=pan_logs OR index=estreamer dest="*" | iplocation src_ip | stats count by src_ip dest City Country Second Search (Fields Needed: src_ip, category, mscore, type, malware, threat_actor First Variation | inputlookup mandiant_master_lookup | search type=ipv4 | eval src_ip=_key | table category mscore type malware threat_actor Second Variation | lookup mandiant_master_lookup _key as src_ip output category mscore type malware threat_actor Attempted Join that didn't work |index=pan_logs OR index=estreamer dest="*" | iplocation src_ip | stats count by src_ip dest  City Country | join type=outer indicator [inputlookup mandiant_master_lookup | eval src_ip=_key | table src_ip category mscore type malware threat_actor] Search that was Close, but needed additional iplocation data and action from device: index=pan_logs OR index=estreamer dest="*" | lookup mandiant_master_lookup _key as src_ip output category mscore type malware threat_actor | fillnull value="" | search type=ipv4 | makemv delim=";" category | stats count by src_ip dest category mscore severity type malware threat_actor ... View more