How do I pass an event's field value into a subsearch to retrieve another field?
At the moment, I can't use join because the records at the other sourcetype racks up to millions. Due to limitation, the join command will only return a maximum of 50,000 results to perform the join.
I need a direct search, to eval an extra field for each event using a field from the event.
Example of something I am trying,
Placing employeeID , a field from every event of the main search, into subsearch
index=a sourcetype=sta | eval employeeAddress= [index=b sourcetype=stb empID=$employeeID$ | return empAddress]
... View more