Some of the answers on here are on a good track (especially @Adrian Hall‘s suggestion to use eval ... coalesce()
But this is simpler:
(index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*)
| rename fooid as userId
| stats values(client) as client values(version) as version values(speed) as speed by userId
| where isnotnull(version) AND isnotnull(client) AND isnotnull(speed)
You have to combine the different logs before looking for commonalities – one way is with join, but it’s usually not the right choice – especially when you can leverage stats to your advantage 🙂
Depending on your time frame, using fields to drop the raw event (_raw) and keep only what you plan to use is likely to be notably faster, too (even if it’s not faster, it will return a lot less data, meaning you won’t bump against any user quotas as quickly):
(index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*)
| fields - _raw
| fields fooid userId client version speed
| rename fooid as userId
| stats values(client) as client values(version) as version values(speed) as speed by userId
| where isnotnull(version) AND isnotnull(client) AND isnotnull(speed)
from User warren – Stack Overflow https://stackoverflow.com/questions/10019793/how-can-i-conditionally-create-splunk-field-aliases/74547217#74547217
via IFTTT