I am trying to get Unique IDs (appears in both indexes) but I only want to count if there is event_name="AccountFinalized OR event_name="AccountActivated" in index 1 AND event_name="Deposit" in index 2.
(index=capi_event event_name="AccountFinalized" OR event_name="AccountActivated" account_id ) OR (index=piq_event ) | join type=inner "account_id" [search index=piq_event event_name="DEPOSIT" account_id state!="WAITING_INPUT"] | stats dc(account_id) AS uniqueID dc(status) AS uniqueStatus count(state) AS State by event_name |
