I am combining 3 source types. I've tried using |stats values() but can't seem to get it to work.
Example of what I currently have written but it runs too slow.
index=integration sourcetype=Incident
| join type=left Assignment_Group
[search index=integration sourcetype=Assignment
| rename NAME AS Assignment_Group Team_Leader AS Leader_ID
| join type=left Leader_ID
[search index=integration sourcetype=ROLLUP_ORG_LEVELS
| rename ID AS Leader_ID ]]
| dedup Incident_ID
| table Incident_ID Assignment_Group LVL3_MGR
... View more