Join two stats searches and run stats/group on the result

I'd like to join two searches and run some stats to group the combined result to see how many users change/update browsers how often. In my IIS logs I have one search that gives me a user agent string ( `cs_User_Agent`) and a `SessionId`; then another that has the `SessionId` and the `UserId` search 1 retrieves a table of `cs_User_Agent` and `SessionId`: ` host=HOST1 index=iis sc_status=200 getLicense | sistats dc(SessionId) count by cs_User_Agent` SessionId cs_User_Agent count 0014D886099319E6 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.140+Safari/537.36+Edge/17.17134 12 0014D953D99FD234 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 5 0014D953D99FD234 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 5 00154D82F471A7AA Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 2 0015B3CAC0EC3940 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/68.0.3440.106+Safari/537.36 30 0015C53D737B2991 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/68.0.3440.106+Safari/537.36+OPR/55.0.2994.61 16 search 2 retrieves a table of `SessionId` and `UserId`: `host=HOST1 index=iis sc_status=200 authorize | stats count by SessionId, UserId` SessionId UserId count 00061D40BFAB4208 4BJKKEAWGYXEAJH0F5F9DHSC0024 2 0008F091D8E8BE1A 1I7WKS9XIMZ92DCZF6CVKA4E001Q 2 000E5B538CC0A7B2 KQCZIHHPG9IOC9UD7MJICESS005B 1 000FC56381D4EA4B 3PH0F08V00SY9GFPGVCQBIQN006N 3 00106C907ED66683 JALM1LNJ8SV72BNHE1C5H0I50020 3 0013143CBC157C26 ETW9HL7L71PQJB7P492LLFEM006E 4 001E25B42A554F79 702EBB0O8MKG0VI94VIQ01ZE0031 1 I need to join these together to see how many different `cs_User_Agent` strings the users had during the period and count those. Basically to see how many of the users change/update browsers very often. So, my result should look like this: Number of UA Strings in the period | Number of Users in grouping >20 1>10 3>5 4 5 10 4 3 3 3 2 1 1 14 The results for search 1 & 2 would return A LOT of data, and from reading the subsearch info it sounds like that's not ideal as the whole subsearch would have to stay in RAM? Is there a better way than subsearch to do this?