I'm not sure if my previous answer used to work or was simply incorrect. Tstats does work with union:
| tstats summariesonly=false values(Authentication.tag) as tag, values(Authentication.app) as app, count(eval('Authentication.action'=="failure")) as failure, count(eval('Authentication.action'=="success")) as success from datamodel=Authentication by Authentication.src |union [tstats count from datamodel=Authentication BY Authentication.src ]
So to rework the example above:
| tstats count(dst_ip) AS cdip FROM bad_traffic groupby protocol dst_port dst_ip | union [tstats count(dst_ip) AS cdipt FROM all_traffic groupby protocol dst_port dst_ip src_ip] | stats sum(cdip) as cdip sum(cdipt) as cdipt values(src_ip) as src_ip by protocol dst_port dst_ip | search cdip>0 cdipt>0
You might need to make the source datamodel names explicit and rename, but that should be straightforward, either before the union, after it or inside the subsearch.
... View more