The term "join" is not helpful here.
what are you comparing the memory of? is it the same host? Use host.
The events you are combining appear to be in the same index and type. Are there more than one record? Do you want to take only the latest number of each type? if so, do you want the latest number of all, or the latest for each host?
I'm going to assume that there are two different kinds of event data, and that you want the most recent of each.
index=main type=test
| fields index type .... list all the fields you need from either type...
| eval rectype=case(if it is the first kind of record, "1", if it is the second kind of record, "2")
| dedup rectype
| stats values(*) as *
Now all the fields from both events are together on a single record.
... View more