It would help to know the error you received, but I suspect it's a syntax error of some sort. That's because subsearches have to be placed where their results would make semantic sense. IOW, if the...
See more...
It would help to know the error you received, but I suspect it's a syntax error of some sort. That's because subsearches have to be placed where their results would make semantic sense. IOW, if the subsearch produces a result like (original_user=foo OR original_user=bar) then this makes no sense. | eval Name= mvindex((newValue),1)
(original_user=foo OR original_user=bar)
| stats values(*) as * Try this, instead (index=<my index>) EventType="A" EventType=A
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| search [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| format ]
| stats values(*) as * Or this similar query for better performance (index=<my index>) EventType="A" EventType=A [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| rename original_user as username
| format ]
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| stats values(*) as *