The search I just updated on the answer is doing that, but instead of field= subsearch, I'm having the subsearch generate that with the return command. The problem with this is you have to pass that clientip into your search three times. Shouldn't be a problem if you have this on a dashboard with tokens, but that will get annoying when having to do it by hand each time. We could use map instead to get around that: | makeresults count=1 | eval clientIP="255.255.255.255" | map search="| savedsearch IPresolver src=$clientIP$ [ search sourcetype=DNSlogs [ search sourcetype=intel | stats values(intelstuff) as queried_domain | format] | return clientIP queried_domain _time] | eval [ search sourcetype=DNSlogs $clientIP$ [ search sourcetype=intel | stats values(intelstuff) as queried_domain | format] | return queried_domain] | eval [ search sourcetype=DNSlogs $clientIP$ [ search sourcetype=intel | stats values(intelstuff) as queried_domain | format] | return _time] | table user queried_domain _time" ... View more

This helped clarify a lot! Thank you for linking that! ... View more

Brilliant! This works as expected! I'll need to tinker with the regex to also omit IP addresses with specified ports such as 123.123.123.2:8080 but once I add this, the provided answer will do exactly what I'm looking for. Thank you so much! ... View more

Replacing this alone didn't fix the search, however, with streamstats I'm able to do a work around now! Adding streamstats to my search yielded me Time and users but with some duplicates, however, counting by these duplicates and user I'm able to yield exactly what I'm looking for. Thank you so much! ... View more