I have the first query
First Query : search criteria | rex field=_raw ".* IPAddress=(?<IPAddress>.+?) " | table IPAddress
The above query is returning a table with all IPAddress. I want this data to be looked at in the second query. How can we write two queries as single?
Second Query : search criteria | rex field=_raw ".* IPAddress=(?<IPAddress>.+?)\"" | where IPAddress in (first Query results ) | rex field=_raw ".* value=(?<value>.+?)\"" | table IPAddress,value, _time
I tried below but it is empty results
<first search > | rex field=_raw ".* IPAddress=(?<IPAddress>.+?)\"" | where IPAddress in ([search <second search> | rex field=_raw ".* IPAddress=(?<IPAddress>.+?) "
| fields IPAddress ])| rex field=_raw ".* value=(?<value>.+?)\"" | table IPAddress,value, _time
