@ahcarpenter  so if I understand correctly, you're looking to get all downstream ids associated with trace-id=2e5b422130e64645cb9681a32fd28cb6 and then find all events that have any of those downstream ids. So, you can use the where clause and the subsearch, which allows you to do the field extraction before the where, so the downstream id field will then be visible in the where clause from the results of the subsearch. index=x | rex "downstreamTraceID\=\{ (?<downstream_trace_id>.{32})" | where [ search index=x 2e5b422130e64645cb9681a32fd28cb6 | rex "downstreamTraceID\=\{ (?<downstream_trace_id>.{32})" | stats values(downstream_trace_id) as downstream_trace_id ] There are probably other ways to achieve the same thing, but I think this should work.   ... View more

There's no much to work with in the question, but perhaps this gives you an idea. <events to filter against subsearch ids> [search subsearch | return 1000 subsearch_id] The subsearch with return command returns a string of the type "(subsearch_id="foo" OR subsearch_id="bar")" which filters the events from the base search. ... View more

Thank you!! ... View more