We were on 3.4.6 and I think subsearches worked fine. We upgraded to 4.0.10 and they broke. So I upgraded to 4.1.1, and they're still broken. It might be something in limits.conf, but we're pretty close to default there.
returns 4 results.
eventtype=abc mailto=xyz | fields + mid|format
returns those same results as ((mid="1") OR (mid="2") OR (mid="3") OR (mid="4"))
eventtype=abc [search eventtype=abc mailto=xyz | fields + mid]
or anything with a subsearch returns no results. The Cisco E-Mail Security Form Search from the cisco_esa_addon app does a search similar to this and returns nothing.
I recommend also running the search and then doing
Actions > Inspect Search
you'll see a page with lots of strange data on it. Scroll down to find the 'remoteSearch' entry. The search you'll see there will have some very strange looking characteristics. You'll see some weird 'litsearch' commands and it'll look a little weird. However it will also have expanded all the eventtypes, and it will also have the basic terms that came out of your subsearch.
Take a look at that and that may help.
oh, if it's not too much trouble, can you tell us how
mid is extracted? more specifically, are the values of
mid delimited on each side by non-word character? e.g., if
2, is it extracted from
xxx, 2, yyy or is is more like
xxx, n2, yyy or even
xxx, n2m, yyy?