Forgoing a conversation about efficiency I'm trying to essentially pass a multi value field into a map command in a way that mimics what you might see by using the | format command. Granted the format command is used for seeing what is passed to a parent search from a subsearch.

In this case let's say I have a search like

| tstats count WHERE sourcetype=some_sourcetype BY sourcetype index | stats values(index) as index by sourcetype

If I add | format at the end of that search I end up with what I'm trying to push to the map command index="foo" OR index="bar" AND sourcetype="some_sourcetype". For my usecase I don't want to have separate queries spawned by the map command for each index and sourcetype pair. I also really am trying to spawn a search for each sourcetype vs passing the data up as one big ORed subsearch result. I'm not married to values() but I used it to combine multiple results into one field so that each sourcetype from the original search would have its own line/event. What I'm trying to get to is something like

| tstats count WHERE sourcetype=some_sourcetype BY sourcetype index | stats values(index) as index by sourcetype | map [search <insert sourcetype> AND <insert index(es)> | ... ]

You can pass sourcetype easy enough ( sourcetype=$sourcetype$) but after trying a number of ways to doctor the index name string I'm passing down I've not had any luck. It doesn't appear like you can simply drop a token in the spawned query like you might in a dashboard. Part of the issue I'm having is when you look at the job inspector you don't see what the spawned query actually looks like.

I sure would be interested in any thoughts.