here the search note that rename and eval in the search I used to make sure the two data set has same fieds name
index=indexA earliest=07/17/2017:17:00:00 latest=07/18/2017:22:00:00| rename event_time AS Timestamp, preview AS Content, sender AS SenderNumber, original_recipients AS original_recipients, URL AS URLCTA, domain AS DomainCTA, phone AS PhoneCTA, email AS EmailCTA | eval subject="" | eval Size="" | eval Headers="" | eval Sender_ip_address="" | eval ReporterNumber="" | eval IMEI_Sender="" | eval Type="SMS" | eval Direction="Outgoing" | search original_recipients=* SenderNumber=1234567890
| table Timestamp, subject, Content, Size, Headers, SenderNumber, Sender_ip_address, ReporterNumber, original_recipients, URLCTA, DomainCTA, PhoneCTA, EmailCTA, IMEI_Sender, Type, Direction
| append[search index=indexB earliest=06/25/2017:17:00:00 latest=07/01/2017:10:00:00 | rename Timestamp AS Timestamp, Content AS Content, SenderNumber AS SenderNumber, ReporterNumber AS ReporterNumber, URLCTA AS URLCTA, DomainCTA AS DomainCTA, PhoneCTA AS PhoneCTA, EmailCTA AS EmailCTA
| eval subject="" | eval Size="" | eval Headers="" | eval Sender_ip_address="" | eval original_recipients=7726 | eval IMEI_Sender="" | eval Type="New_7726" | eval Direction="Incoming"
| search ReporterNumber=1234567890
| table Timestamp, subject, Content, Size, Headers, SenderNumber, Sender_ip_address, ReporterNumber, original_recipients, URLCTA, DomainCTA, PhoneCTA, EmailCTA, IMEI_Sender, Type, Direction]
thanks and regards,
... View more