This answer presumes your fields are already properly extracted
If they are not, you’ll need to do that first (and we can help you with it)
Something like this should do the trick for you:
((index=ndxA sourcetype=srctpA) OR (index=ndxB sourcetype=srctpB)) thread=* spanid=* loglevel=*
| stats values(errorCode) as errorCode values(httpUrl) as httpUrl values(httpMethod) as httpMethod max(_time) as _time by thread spanid loglevel
| table _time httpMethod httpUrl errorCode
from User warren – Stack Overflow https://stackoverflow.com/questions/76583228/splunk-query-to-map-exceptions-to-endpoints/76584353#76584353
via IFTTT