I have a collection of hundreds of files. I want to write a search that (1) finds which file has a certain keyword and then (2) search that particular file for additional content for tabling.
Searching for the specific file is done as follows ...
source="jobs/*" "load = 1234" | dedup source
... but I have been googling/trying to figure out how to use that source to drive the next part of the query. Here is some pseudocode with source renamed for ?clarity? as so far I have not been able to find a good way.
source="jobs/*" "load = 1234" | dedup source | rename source as XX | search source=XX "mysearchstring"
Think you want to use a subsearch:
"mysearchstring" [ search source="jobs/*" "load = 1234" | dedup source | table source ]