This is exactly what I tried but I need to see only events where cvs>7 and in the same row, in the same table I need to see data from the other sourcetype (operating_system, etc.). I will make visualization. My search without conditions: index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) values(cvs) values(warning) values(operating_system) values(ID) by dest Search with OR conditions: index=security ( (sourcetype=EDR:Security cvs>7) OR sourcetype=EDR:Assets ) As you can see if condition is met, I get results from one sourcetype only. If conditions are not met, I get all results i one row. I need to have it all - cvs>7, operating_system, ID, etc. in one row.
... View more