The append command combines the results of two searches in a very rudimentary way. That is, the output of the second search follows the output of the first. In tablular form it might look like this: _time _raw condition1 condition2 2020-11-29T14:40:04 result 1 from search 1 2020-11-29T14:40:03 2020-11-29T14:40:03 result 2 from search 1 2020-11-29T14:40:03 2020-11-29T14:40:02 result 1 from search 2 2020-11-29T14:40:01 2020-11-29T14:40:01 result 2 from search 2 2020-11-29T14:40:01 Because half the results contain the condition1 field and the other half contain the condition2 field only the first half will meet the condition where condition1>condition2. The solution is to merge the two sets of events before comparing fields. index="index1" (Message=SEARCH1 earliest=-31m@m latest=-1m@m )
| transaction Message SrcIP | where eventcount > 10
| search Message="SEARCH1"
| eventstats min(_time) as condition1
| append
[ | search index="index1" SEARCH3 earliest=-61m@m latest=-1m@m
| eventstats min(_time) as condition2 ]
```Merge the results```
| stats values(*) as * by someCommonField
| where condition1 > condition2
... View more
