https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548689#M155661 <P>Hello,</P><P>It did not work. I am still getting 0 results.</P> Tue, 20 Apr 2021 21:25:07 GMT irvindominguezs 2021-04-20T21:25:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548666#M155656 <P>I am trying the following query. However, activityId is not being passed to the second query and I am not having any results.</P><P>index=kubernetes lineOfBusiness=ifm component=chub useCase=C5 responsePayload<BR />| rex field=_raw "imsiActivationDate\"\:\"(?&lt;imsiActivationDate&gt;[^\"]*)"<BR />| rex field=_raw "simChangeDate\"\:\"(?&lt;simChangeDate&gt;[^\"]*)"<BR />| rex field=_raw "activity-id=(?&lt;activityId&gt;[^||]*)"<BR />| table activityId | map search="index=kubernetes lineOfBusiness=ifm component=ifm activity-id=*$activityId$*" | rex field=_raw "msisdn":"=(?&lt;msisdn&gt;[^=]*)" | dedup activityId, msisdn<BR />| table activityId msisdn</P> Tue, 20 Apr 2021 18:53:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548666#M155656 irvindominguezs 2021-04-20T18:53:00Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548686#M155660 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225260">@irvindominguezs</a>,<BR /><BR />Instead of using the <STRONG>map</STRONG> command, you can use the first/main search as a <STRONG>sub search</STRONG> to filter&nbsp;<SPAN><STRONG>activityId</STRONG> in the second search.</SPAN></P><LI-CODE lang="markup">index=kubernetes lineOfBusiness=ifm component=ifm activity-id IN([| search index=kubernetes lineOfBusiness=ifm component=chub useCase=C5 responsePayload | rex field=_raw "activity-id=(?&lt;activityId&gt;[^||]*)" | eval activityId="*".activityId."*" | stats values(activityId) as re | return $re]) | rex field=_raw "msisdn":"=(?&lt;msisdn&gt;[^=]*)" | dedup activityId, msisdn | table activityId msisdn</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Tue, 20 Apr 2021 21:13:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548686#M155660 manjunathmeti 2021-04-20T21:13:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548689#M155661 <P>Hello,</P><P>It did not work. I am still getting 0 results.</P> Tue, 20 Apr 2021 21:25:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548689#M155661 irvindominguezs 2021-04-20T21:25:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548722#M155671 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225260">@irvindominguezs</a>,</P><P>Can you try below?</P><LI-CODE lang="markup">index=kubernetes lineOfBusiness=ifm component=chub useCase=C5 responsePayload | rex field=_raw "imsiActivationDate\"\:\"(?&lt;imsiActivationDate&gt;[^\"]*)" | rex field=_raw "simChangeDate\"\:\"(?&lt;simChangeDate&gt;[^\"]*)" | rex field=_raw "activity-id=(?&lt;activityId&gt;[^||]*)" | table activityId | map search="search index=kubernetes lineOfBusiness=ifm component=ifm activity-id=*$activityId$*" | rex field=_raw "msisdn":"=(?&lt;msisdn&gt;[^=]*)" | dedup activityId, msisdn | table activityId msisdn</LI-CODE> Wed, 21 Apr 2021 05:49:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-rex-field-in-another-search/m-p/548722#M155671 scelikok 2021-04-21T05:49:14Z