Strictly speaking, no - it is not possible to populate a variable out from the subsearch into the primary search without Splunk interpreting that variable as a search value. But there are some other ways to go about it.
First Idea
Perform a unified search across both sources and preserve only the events that have a shared dest_ip . Then perform your stats command across the remaining results. It would look something like this:
(index=checkpoint rule=*) OR (index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT)
| eventstats dc(index) AS index_count BY dest_ip
| search index_count=2
|stats count by dest_IP policy_name url
The disadvantage here is that you aren't pre-filtering the checkpoint logs, so the search might bog down a bit, depending on the volume of data going into your checkpoint index.
Second Idea (not recommended)
The only way I know to pass a value as a variable (but not a search term) from one search into another is to use the map command. However, this command is terribly inefficient, as explained here: https://answers.splunk.com/answers/611129/newbie-map-question.html#answer-612249
But as a teaching exercise, it might be useful to understand how the map command could be used here:
index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT
|stats count by dest_IP url
| map maxsearches=0
[ search index=checkpoint rule=* "$dest_ip$"
| eval url="$url$"
| stats count by dest_ip policy_name url ]
| stats sum(count) AS count BY dest_ip policy_name url
Really, really - do not use this search, as it will launch a new search for every dest_ip found in the first part of the search. This is remarkably inefficient.
... View more