Whereas the syntax problem that @PickleRick pointed out can be rectified by adding a pipe like this   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*" | search [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<some_id>[^,]+),*" | dedup some_id | fields some_id ]   this method reduces the advantage of using subsearch in your dataset. To improve efficiency, "renaming field some_id to "search" as  some have said would help" actually will help. (In part because / is a hard separator in Splunk.)  You just need to add a format command:   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<search>[^,]+),*" | dedup search | fields search | format ] | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*"   Here is an emulation.  Play with it and compare with your data.   index = _internal log/splunk ``` the above emulates index=index1 source="/somefile.log" uri="/path/with/id/some_id/" ``` [makeresults format=csv data="search supervisor.log splunkd_ui_access.log" ``` the above emulates [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<search>[^,]+),*" | dedup search | fields search | format ] ``` | format] | rex field=series "log/splunk/(?<some_id>[^\"]+)" ``` emulates | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*" ``` | stats count by some_id   On my laptop, it gives some_id count splunkd_ui_access.log 59 supervisor.log 1045 As you can see, among all the logs, the output is limited to the two values in the subsearch. ... View more