I have a requirement where i got to see if the results of a Search1 with Index1 are available in search2 with Index2.

Search 1 --
index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address

Result 1 --

alert.explanation.cnc-services.cnc-service{}.address

ftp.restavracija-hongkong.si
whatismyipaddress.com

Search 2 --
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d "whatismyipaddress.com" | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
Result 2 --

cs_url_host cnt url

cdn.whatismyipaddress.com 8 tunnel://cdn.whatismyipaddress.com:443/
whatismyipaddress.com 3 tunnel://whatismyipaddress.com:443/

But when i am mixing both the queries and trying i am not getting any output. Can anyone help.

index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address] | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host

(or)

index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d | search [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address]