I dont think you actually need a subsearch here. There's a lot of things that only subsearches can do, but I dont think your case here is one of them (and your case is a pretty cool example). It's a good practice to avoid subsearches wherever possible.

Here's one way to do it:

java.lang.OutOfMemoryError OR "Start Display Current Environment" | transaction host maxspan=5m startswith="OutOfMemoryError" | search java.lang.OutOfMemoryError NOT "Start Display Current Environment"

• Dissecting this step by step, the first search command gets you a big interleaved search result set.
• Then the transaction will roll up everything to where each row in the results is from a single host but the 'event' text is now a big multiline string of all the events, always starting with the OutOfMemoryError, but never spanning more than 5 minutes total.
• Then at the end we simply filter out the hosts where it did actually restart.
• NOTE: I actually have to include the java.lang.OutOfMemoryError term again in the final search. The reason is that if a transaction terminates because it reaches the maxspan, it'll actually start a new transaction right then and there, which will have random events in it but no java.lang.OutOfMemoryError. Filtering again by OutOfMemoryError just filters that noise away.

Hopefully that'll work.

As an aside, this approach opens up several other avenues: notably if you put this before the transaction,

eval errorTime = if(searchmatch("OutOfMemoryError"), _time, null) | eval restartTime = if (searchmatch("Start Display Current Environment"), _time, null)

and then after the transaction and search you put eval timeBeforeRestart = restartTime-errorTime, then you can graph the timeBeforeRestart by host which could be a useful trick.