First, thanks for the answer! It's helped me to get a bit closer, but I'm still not getting what I'm looking for. Here's what happens:
If I run your search as written, I get 0 results. I can get results if I modify it to add
| rename IPAddress as src | fields + src ]
to the end of the subsearch, but then it's giving me results for any IPAddress that appears in my initial table, only over the entire time range. I would like the search to only return events that occur between StartDate1 and EndDate1 for IPAddress1, between StartDate2 and EndDate2 for IPAddress2, and so on.
I tried adding
|rename IPAddress as src, StartDate as earliest, EndDate as latest | fields + src,earliest,latest ]
to the end, but then I get an error: Error in 'search' command: Unable to parse the search: Invalid search: AND AND.
This makes sense, since earliest and latest are search parameters and not fields, but I can't think of any other way to return the start and end parameters from the subsearch.
Any other ideas on how to parameterize the outer search from within the subsearch, or any other way to do what I'm looking for?
... View more