I was trying to figure out why my search with subsearch does not work and then I realized that exact semantics of the subsearch is not clear for me.
Consider the following search:
( ( t="*my_substring*" ) )
This works and generates a number of results. Then consider the following search:
*| eval t="*my_substring*" | head 1 | fields t | format
It generates:
( ( t="*my_substring*" ) )
That is, I got the same text that I used for the first search. Now I combine both:
[search *| eval t="*my_substring*" | head 1 | fields t]
This gives 0 results. Why? I thought the subsearch result are formated using an implicit format and then the outer search is running with [...] literally replaced with that result string.
... View more