I'm trying to use the map command and it seems to fail when I try using some functions within the subsearch (specifically: cidrmatch()). This search returns a correctly-populated table of all the fields except for the "matches" field which is just empty index=my_index earliest=-5m | table _time src_ip | map search=" | search index=my_other_index earliest=-6h | rename id as id2 | dedup id2 | eval searchip=$src_ip$ | eval matches=if(cidrmatch(cidr_block, searchip), "true", "false") | table id2 searchip matches cidr_block" Note: my goal is to join two searches but not based on a common field, based on cidrmatching ips from one search to the cidrblocks in the other. I don't want to use lookup tables as I want both to be dynamic.
... View more
