It would help to know the error you received, but I suspect it's a syntax error of some sort. That's because subsearches have to be placed where their results would make semantic sense. IOW, if the subsearch produces a result like (original_user=foo OR original_user=bar) then this makes no sense. | eval Name= mvindex((newValue),1)
(original_user=foo OR original_user=bar)
| stats values(*) as * Try this, instead (index=<my index>) EventType="A" EventType=A
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| search [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| format ]
| stats values(*) as * Or this similar query for better performance (index=<my index>) EventType="A" EventType=A [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| rename original_user as username
| format ]
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| stats values(*) as *
... View more