Hello Iguiin
Thanks, look, I have logs like these:

  session_id             src_email                dst_email
f2-5407ee2265d2 alexcolquehuanca@hotmail.com   jperez@unicon.com
f2-54asds326sf3 asistecnica@assesores.com      jose.tejadaz@unicon.com
f2-54ds345asf32                                secretary@unicon.com
f2-5407easass22 josevasquez@gmail.com          jose.tejadaz@unicon.com
f2-54ds345asf32 alemontorya@verifica.com

You see, there are some who lack the src_email field, then I try to fill it doing that search return, associating with the session_id field.
I tried to "transaction" masspan = 1d, but in reality, the waiting time to run is very high

host=172.16.1.21 | eval dst_email=if(isNull(src_email),[search host=172.16.1.21 src_email=* earliest=-1d latest=now | where session_id=session_idMAIN | head 1| return $src_email],src_email)
| table session_id,src_email,dst_email

Not the way you are doing it. You can return data from a subsearch, either as a single value, a field-value pair, or set of field-value pairs. That't not the problem.

What you can't do is to pass data from the main search to the subsearch. where field_SUB=field_MAIN is not legal. Splunk executes the subsearch first, so there is no data from the main search to pass.

If you want to combine data from two searches in that way, you will need to use another technique. For the example you have given, it appears that you are trying to lookup a value for fieldA from index=other_index. For that, I would use a lookup instead of a second index.

More information about what you are trying to do would probably be helpful.