@ITWhisperer Apologies for confusion, let me try to rephrase. Index=abc. FieldA, B, C, D index=bcz. FieldE,F,G I want to return _time, B, C, D, G where value from field E to match with B. I am getting the required output but not able to get G values. This is my query: index=abc fieldA="<>" | rex field=_raw .......FieldB .... FieldC.. Field D | search [ search index=bcz FieldF="<>" | rename FieldE as FieldB | fields FieldB] | stats count as Total by _time, FieldD, FieldC, FieldG | where FieldD="<>"
... View more