I am trying to locate some data between two indexes, the common items are the src_interface and the network device name, but the data gets jumbled up when searching over longer periods of time. This is what I am using now.  index=network "arp-inspection" OR "packets received" | rename mnemonic as Port_Status | rename Network_Device TO "NetworkDeviceName" | rename src_interface TO "src_int" | join type=inner "NetworkDeviceName" , "src_int" [ search index=cisco_ise sourcetype=cisco:ise:syslog User_Name="host/*"] | table  device_time, NetworkDeviceName, User_Name, src_int, src_ip, src_mac, message_text, Location, Port_Status   ... View more

Here is my search in question, the common field is the SessionID index=eis_lb apm_eis_rdp |fillnull value="-" |search UserID!="-" | rex field=_raw "\/Common\/apm_eis_rdp:ent-eis[:a-zA-Z0-9_.-](?'SessionID'........)" |search company_info="*" |rename company_info as "Agency" | table _time, SessionID, UserID,Full_Name, Agency, HostName, client_ip | sort - _time _time SessionID UserID Full_Name Agency HostName client_ip 2024-03-22 08:25:29 4f89ae57 Redacted Redacted Redacted Redacted - If I remove the Search UserID I can see the matching session ID and the client_ip is present. _time                               SessionID       UserID    Full_Name    Agency      HostName              client_ip 2024-03-22 14:26:48 4f89ae57     Redacted Redacted    Redacted   Redacted                    - 2024-03-22 14:25:52 4f89ae57 - - - -                                                                                                 Redacted How can I create a search like above to show the client_ip maching the SessionID ... View more