Hi,
What's the best way to filter a search against a set of unique id's in a subsearch?
Currently, approaching it as such:
<events to filter against subsearch ids>
| join left subsearch_id
| [search subsearch]
Though, it's returning a 1:1 set v. all primary search events that contain a matching id.
There's no much to work with in the question, but perhaps this gives you an idea.
<events to filter against subsearch ids> [search subsearch | return 1000 subsearch_id]
The subsearch with return command returns a string of the type "(subsearch_id="foo" OR subsearch_id="bar")" which filters the events from the base search.