If I understand you correctly, you need to look at two different time ranges in two different indices,
In that case, it is most likely to be true that a join will be needed
Here’s one way it can be done:
index=ndx1 sourcetype=srctp1 field1="someval" src="*" earliest=-1h
| stats count by src
| join src
[| search index=ndx2 sourcetype=srctp2 field2="otherval" src_ip=* src_nt_host=* earliest=-14d
| stats count by src_ip src_nt_host
| fields - count
| rename src_i as src ]
You may need to flip the order of the searches, depending on how many results they each return, and how long they take to run.
You may also be able to achieve what you’re looking for in another manner without the use of a join, but we’d need to have some sample data to possibly give a better result
from User warren – Stack Overflow https://stackoverflow.com/questions/70671669/splunk-query-to-take-a-search-from-one-index-and-add-a-fields-value-from-anothe/70685612#70685612
via IFTTT