Hi @KellyP , in the search you shared you forgot the join command, but anyway avoid to use join, and possible forget this command because it's very slow and resource consuming: Splunk isn't a relational DB. t's a search engine. So you can correlate events in a different way usng stats: (index=netproxymobility sourcetype="zscalernss-web") OR index=netlte | stats values(transactionsize) AS transactionsize values(responsesize) AS responsesize values(requestsize) AS requestsize values(urlcategory) AS urlcategory values(serverip)serverip values(ClientIP) ASClientIP values(hostname) AS hostname values(appname) AS appname values(appclass) AS appclass values(urlclass) AS urlclass values(IMEI) AS IMEI BY ClientIP if you want onlythe events in both the indexes, you can add an additional clause: (index=netproxymobility sourcetype="zscalernss-web") OR index=netlte | stats values(transactionsize) AS transactionsize values(responsesize) AS responsesize values(requestsize) AS requestsize values(urlcategory) AS urlcategory values(serverip)serverip values(ClientIP) ASClientIP values(hostname) AS hostname values(appname) AS appname values(appclass) AS appclass values(urlclass) AS urlclass values(IMEI) AS IMEI dc(index) AS index_count BY ClientIP | where index_count=2 | fields - index_count Ciao. Giuseppe ... View more