If I understand the use case, you can achieve the goal using a subsearch. (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)
| table dest, dst, Ip, source_ip, src_ip, src...
See more...
If I understand the use case, you can achieve the goal using a subsearch. (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)
| table dest, dst, Ip, source_ip, src_ip, src
| eval IP_Addr = coalesce(dest, dst, Ip, source_ip, src_ip, src)
| search [search index="tml_it-mandiant_ti" type=ipv4 | return 10000 IP_Addr=value]
| stats count by IP_Addr
| where count >= 1 The subsearch will return a list of up 10,000 IP addresses in the form (IP_Addr=1.2.3.4 OR IP_Addr = 2.3.4.5 OR ...) which the search command will use to filter results from cim_Authentication_indexes. The key thing is make sure the field name returned from the subsearch exists in the data from the main search (in the example, IP_Addr rather than value).