I have a parent search which returns
_time, key, value1 value2
Now I want to join it with a CSV file with the following format
key, startDate, endDate, internalValue
I want the subsearch to join based on key and a where startDate<_time AND endDate>_time where _time is from the parent search.
Is there a way to pass the parent searches _time through to subsearch?
Ideally I want it to be something like this
sourcetype="blah" | join key [inputlookup customer-details.csv | eval startDate=strptime(startDate, "%d/%m/%Y") | eval endDate=strptime(endDate, "%d/%m/%Y") | where startDate<_time AND endDate<_time]
Is it even possible to pass in parent data as parameters usable in the subsearch?
So I would like to the correlating internalValue to link up with the matching _time on the parent search.