Using the following search strangely doesn't return the same result as it does in using postman, browser, etc. Essentially, we've got a list of IPs joined together that I'm attempting to pass to the shodan API which the "net:" search filter supports. The list of IPs will looks like so: "1.2.3.4,1.1.1.1,8.8.8.8" etc

(yes, the API key is included in the curl but is removed for the sake of this question)

index=test_index 
| dedup src_ip
| stats values(src_ip) as ip_list
| eval ip_list = mvjoin(ip_list, ",")
| curl method=get uri="https://api.shodan.io/shodan/host/search?query=net:".ip_list."&fields=ip_str,port,timestamp,vulns&minify=false&language=en

However, we get 0 matches when the response body is returned:

{
"matches": [],
"total": 0
}

Example query that returns a response: api.shodan.io/shodan/host/search?query=net:1.1.1.1,8.8.8.8,9.9.9.9&fields=ip_str,port,timestamp,vuln...

Is the literal string expression (".ip_list.") not supported by TA-WebTools? 

Thanks!