i still cant use eval or rex to normalize my fields at search with OR so that wont work. (index=x sourcetype=y  |eval xxxx | rex xxxx ) OR (index=a sourcetype=b |eval xxxx |rex xxxx ) as far as i know, this type of spl is not valid ... View more

i forgot to answer your first question. I want stats on matches by username1=username2 during 5 min buckets of the two searches. I want to end up with a table that only shows me usernames that appear in both searches within the same timebucket ... View more

I know there are more efficient ways to get the results im looking for. I also need to use rex and eval to normalize the fields in both my searches, since they look quite different at index time. I don't think i can use rex and eval in a search like that? ... View more

I might be misunderstanding but no, not exactly. I have two different searches i want to combine with append, and run a stats to count matches on username by _time. search1 gives me a table like this: Time Username1 2026-01-22 09:20:00 johnsmith 2026-01-22 09:25:00 lucywilliams   search2: Time Username1 2026-01-22 09:20:00 richardevans 2026-01-22 09:25:00 lucywilliams   index=x sourcetype=y username="" |bin _time span=5m |append[search index=a sourcetype=b username="" |bin _time span=5m ] I want a final table that gives me counts on matches by username in the same time bucket from the two searches. Time Username1 Username2 Count 2026-01-22 09:25:00 lucywilliams lucywilliams 1           To give a bit more context, search1 looks in an index for vpn clients to our business (working from home etc), search2 looks in index for admin logins on for example servers or other objects. From a security standpoint this goes againts company policy, so im trying to create a search which can be used in a report/dashboard for improving information to the sysadmins and security personel. ... View more