@Anonymous can you please help me. Still I'm facing issue to use the output of the 1st query in my 2nd query.   And my 2nd query is complex one as it contains 3 join query but all 3 required txn id as input also ... View more

@scelikok thanks so much. I just put join instead of | search and it worked magically.   My final query will be like  ... | Join [ search $token_account_id$ earliest=$token_time.earliest$ latest=$token_time.latest$| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID | fields TXNID ] | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date  ... View more

Thanks for your reply. I tried this subsearch approach but seems it didn't give me any results ... View more

Thanks @scelikok  for the reply. Mu sample query 1st query ...| rex "txnid".{5}(?<TXNID>.*?(?=\\\))"|dedup TXNID  2nd query  ... Need to pass that TXNID here | rex "custid".{5}(?<custid>.*?(?=\\\))"| rex "custname".{5}(?<custname>.*?(?=\\\))"| rex "pdate".{5}(?<pdate>.*?(?=\\\))"|table custid, custname, pdate| rename custid as CustomerID, custname as Customer Name, pdate as Purchase Date    NB:- I will use this in the dashboard. In the dashboard I have one input text and a date filed which user need to provide. User will provide account id which need to be on 1st query based on the account and time stamo it will fetch the txnid and using that txnid need to fetch and show in the dashboard.                       ... View more

And I'm trying to use like this  .....|eval startDate = $job.earliestTime$ | eval endDate = $job.latestTime$ | table startDate endDate  ... View more