Playing around to find a way to gather IP-Addresses from one type of search, to gather other type of information about the ip-addresses. In this example I try to gather all ip-addresses that is in the source type threat log, this source type does not contain session_end_reason, that is in the traffic log. So, I try to fetch all ip addresses that accsess *sonos.com* and use this to get all session_end_reason for those ip addresses. Mayby it’s not possible, and it’s a proof of concept i try achieving here. index="paloalto" src_ip="*" src_ip="*" [search index="paloalto" url="*sonos.com*" src_ip="*"] | table url src_ip session_end_reason The result from this gives blank session_end_reason If I have this in my first search: index="paloalto" src_ip="*" src_ip="*" session_end_reason="*" All ends up blank. This at the end: | table src_ip session_end_reason Ends up with only ip addresses, and no session_end_reason Is this possible? Best regards   ... View more