Hi, I know the post was in 2019, but for the next one who fall on this topic, I share some tips about that. Use double stats to avoid mvexpand : index=index1 | some crazy stuff | fields source1 host | append [search index=index2 | some more crazy struff | fields source2 host] | stats values(source1) as source1, values(source2) as source2 by host ```add this next line if you want source1 or source2 are null : |fillnull value="N/A" source1 source2 ``` |stats c by host source1 source2  Hope this will be helpfull 🙂 ... View more

Hello, Maybe a little late for the main post, but for the others who launch here. The best solution is to use the timestamp for sorting :   # only if your _time is not native and format is not timestamp unix or in ISO date (YYYY-mm-dd HH:MM:SS) |eval time=strptime(_time,"my_format_date")   and dedup the event with the column to be unique. For the exemple :   |dedup appId sortby -_time   You will have the latest event/row for the appId If you want to deduplicate with the "name" in addition, do this :   |dedup appId name sortby -_time   For more documentation : https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup ... View more