Hi, I am having some troubles to merge two searches and I am looking for the best way to do this.  We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify the flow with original and nated ip addresses. I explain : FW1 : src1,dst1,xlatesrc1,xlatedst1 FW2 : src2 (=xlatescr1), dst2 (=xlatedst1), xlatedst2 goal = table : src1,dst1,xlatesrc1,xlatedst1 (=xlatedst2 if it exists, xlatedst1 instead) I have made something like: search_FW1 | stats by src1,dst1,xlatesrc1,xlatedst1 | join left=[ search search_FW2 | stats values(xlatedst2) as xlatedst1 by src2] | rename src2 as xlatesrc1 | table src1,dst1,xlatesrc1,xlatedst1 But I have noticed that if src2 does not exist in search_FW1, I loose the event from my main search (search_FW1) :(. I thought that the "left" parameter of "join" should solve the issue, but it does not...  Any idea how to avoid it (and maybe optimize my search as I have seen that "join" has poor performance)? Thanks ... View more