Lovely thank you.  Just now figured out that even the below works

| rename transactionid as search

Source: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults

The following search looks for a value in the clID field that is associated with a name token or field value. The clID value is then used to search for several sources.

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]

The subsearch returns the field and value in the format: ( (clID="0050834ja") )

To return only the value, 0050834ja, rename the clID field to search in the subsearch. For example:

index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]

When the field is named search or query, the field name is dropped and the implicit | format command at the end of the subsearch returns only the value.

If you return multiple values, such as specifying ...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used ...| top limit=3, the values returned from the subsearch are ( ( value1 ) OR ( value2 ) OR ( value3 ) ).

I always forget 'query' keyword

Here's the doco on those keywords

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Search/Changetheformatofsubsearchresults