The sub query search command | rex field=_raw "employeeid=(?<empid>[a-zA-Z0-9-]+)" | return empid returns the result:
empid="d8666160-eaf4-4943-a661-60eaf4894357"
Now I want to do one more search using the value of employeeid field:
app="appname" AND "some text" AND "d8666160-eaf4-4943-a661-60eaf4894357"
How can I do this? I was trying to fix the below query but did not succeed.
app="appname" AND "some text" AND [search command | rex field=_raw "employeeid=(?<empid>[a-zA-Z0-9-]+)" | return empid]
I don't want to search with the field name in the Parent query but only use the field value from the sub query.
Use join command
parent query search
| rex "extract field"
| rename field as empid
| join empid
[ search child query search
| rex "extract child field"
| rename childfield as empid]