Hi Tom,  I have not been able to get your suggestion to show all of the data. It will either display the value of message1 OR message2 in the stats tab.  I think this is because the payload location for both of these is the same JSON path?  message.payload for each of them. Could they be overwriting each other? I think I have been able to use a subsearch of index="example" TERM(Stop) and use the timestamp of those events to run the outer search of index="example" message.payload.log="controller" The query looks like this: index="example" message.payload.log="controller" | rename message.payload AS message1 [search index="example" TERM(STOP)    | rename message.payload AS message2    | table _time] | stats count by message1   This works to filter the outer search ("controller") by the timestamp of the inner search (TERM(STOP)), but I would love to be able to show the data from message two in the stats page, next to the results from message1. So far, I am not able to get both message1 and message2 to show up, as they seem to override one. ... View more

Thank you Tom! I will give this a try today. ... View more

Thanks for your reply! I think I may have written my example queries poorly.  The indexes are the same, but each have additional parameters. First is: index="example" TERM(STOP) Second is: index="example" TERM(index)   If my indexes have the same name, how can I modify your example? ... View more