I have two indexes that I have successfully joined, they are indexA and indexB. There is a field in the resulting (joined) event FieldC. I have another index, indexY with FieldD. I need to join this indexY to indexA and indexB. This works ok.
index=indexA FieldC | join FieldC [search index=indexB FeildC] | join FeildD [search index=indexY FeildD] | table _time, FeildC, FieldD
now the tricky bit, I have indexE which has a start and finish event. How do I run the double join, between the two time events (Logon and logoff) in index E.