What IS the common field across these events? IP address? Hostname? Something else?
Something along the lines of this will get you started:
index=ndx sourcetype=srctp ip=*
| fields - _raw
| fields _time ip req_id session_id app_id cust_id
| fillnull value="n/a" req_id session_id app_id cust_id
| stats count by ip req_id session_id app_id cust_id
| fields - count
or, perhaps:
index=ndx sourcetype=srctp ip=*
| fields - _raw
| fields _time ip req_id session_id app_id cust_id
| stats values(*) as * by ip
from User warren – Stack Overflow https://stackoverflow.com/questions/77048806/in-splunk-how-do-i-efficiently-map-data-from-separate-searches-into-the-same-ro/77053082#77053082
via IFTTT