|eval output3 = replace(output3,"[\[\]\"]","")
|makemv output3 delim=","
|mvexpand output3
|rename output3 as id
|join id
[<second_search>] If you want to keep the original values of id from the first search add a temporary field: |eval temp = replace(output3,"[\[\]\"]","")
|makemv temp_id delim=","
|mvexpand temp_id
|rename temp_id as id
|join id
[<second_search>] If you want to combine the results of the second query back together add this to the end: | mvcombine id Keep in mind that join only works with up to 50.000 events but it doesn't seem like this limitation is relevant to your situation based on the example. If the second search is a static list of codes that you want to match you could also put the results of the second query in to a lookup table: |eval temp = replace(output3,"[\[\]\"]","")
|makemv temp_id delim=","
|mvexpand temp_id
|rename temp_id as id
|lookup <lookup_name> id OUTPUT id as found
|where isnotnull(found)
|fields - found
... View more