Hello ayn and sideview.

This solution was what I was looking for!

Thank you very much!

Sideview

Do you mind if I ask the reason why should I not use the join command?

Hello sideview.

Thank you for the comment.
The stats command is just the filter for which record should I remain in use.

I will look into the format command.

definitely don't use join here. Also if you omit the format command from a subsearch entirely, splunk will sneak one in, and it'll be one with those exact same arguments. So you can simplify Ayn's answer by removing that format command entirely.

Also I'm not sure what your intention is with stats count(eval(diffSeq>0)) but since you're only using the distinct values anyway at the end, it's looks completely equivalent to

* [search index=test1_it OR index=test2_it 
earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0"
| dedup fieldA
| fields fieldA ]

Well I have to bit amend my words.

Since the parameters I am passing to the next search will be the results from the stats. Which means I can not use the fixed search commands , like format "(" "(" "OR" ")" "OR" ")"] .

So I thought I needed to use the join to merge the results.

That's simpler? o_O

Hi ayn.

I think I found more simpler way.
I would rather use join type=inner join

| join type=inner max=0 fieldA [
search index=test1_it OR index=test2_it earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0"
| sort 0 +fieldA
| delta Seq as diffSeq p=1
| search diffSeq=*
| stats count(eval(diffSeq>0)) as cnt by fieldA
| fields fieldA ]

This is part of actual search.