Is there a way to populate the items in an "IN" statement with the results of a sub query?  I've tried several variations. index=x accountid IN ( [ search index=special_accounts | rename accountid as query ] )  ... View more

I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to create a json object that looks like this. { key1:val1, key2:val2, key3:val3 } index=test5 earliest=@s-24h apicall IN (aws_es_listDomainNames aws_es_listTags) NOT err | eval resourceid=coalesce(resourceid, DomainName) | eval uid=resourceid+accountid+region | rename "TagList{}.Key" AS keys | rename "TagList{}.Value" AS values | eval tags=mvzip('keys','values'," = ") | nomv tags.    //  this matches up the key and value pairs but isn't useful with json_object.   I've tried using json_object but json_object only accepts arguments and not a string of key value pairs.  Is there a way to produce a json object from the two multivalue fields above?   Thanks.     ... View more