https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561933#M195436 <P>index=error sourcetype=error_log "Retry counter reached"<BR />| makemv delim="=",values<BR />| dedup errId<BR />| table errId&nbsp;<BR />&nbsp; &nbsp; &nbsp; &nbsp;| map search="search index=error sourcetype=error_log $errId$ "Caused by" | head 1 | rex field=_raw&nbsp; "MessageText=(?&lt;FailureReason&gt;.+) Please report to system admin"<BR />&nbsp; &nbsp; &nbsp; &nbsp;| eval FailureReason=\"$FailureReason$\"<BR />&nbsp; &nbsp; &nbsp; &nbsp;| eval errId=\"$errId$\""<BR />| table errId, FailureReason</P><P>The above query does not show any results. If i run the searches separately, i do see the output. What is wrong with the query please?</P> Tue, 03 Aug 2021 17:22:31 GMT a2021cdev 2021-08-03T17:22:31Z https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561933#M195436 <P>index=error sourcetype=error_log "Retry counter reached"<BR />| makemv delim="=",values<BR />| dedup errId<BR />| table errId&nbsp;<BR />&nbsp; &nbsp; &nbsp; &nbsp;| map search="search index=error sourcetype=error_log $errId$ "Caused by" | head 1 | rex field=_raw&nbsp; "MessageText=(?&lt;FailureReason&gt;.+) Please report to system admin"<BR />&nbsp; &nbsp; &nbsp; &nbsp;| eval FailureReason=\"$FailureReason$\"<BR />&nbsp; &nbsp; &nbsp; &nbsp;| eval errId=\"$errId$\""<BR />| table errId, FailureReason</P><P>The above query does not show any results. If i run the searches separately, i do see the output. What is wrong with the query please?</P> Tue, 03 Aug 2021 17:22:31 GMT https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561933#M195436 a2021cdev 2021-08-03T17:22:31Z https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561939#M195438 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237089">@a2021cdev</a>,<BR /><BR />Since you are searching same index and sourcetype, you don't need map.&nbsp; Try this:</P><LI-CODE lang="markup">index=error sourcetype=error_log "Retry counter reached" OR "Caused by" | rex "MessageText=(?&lt;FailureReason&gt;.+) Please report to system admin" | stats max(FailureReason) by errId</LI-CODE> Tue, 03 Aug 2021 18:01:16 GMT https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561939#M195438 manjunathmeti 2021-08-03T18:01:16Z https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561942#M195441 <P>The query does not meet my requirement. It only lists errId and not the failure reason.&nbsp;</P><P>&nbsp;</P> Tue, 03 Aug 2021 18:15:54 GMT https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561942#M195441 a2021cdev 2021-08-03T18:15:54Z https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561951#M195442 <P><SPAN>The query does not meet my requirement. It does not correlate errId with failure reason.&nbsp;</SPAN></P> Tue, 03 Aug 2021 20:14:25 GMT https://community.splunk.com/t5/Splunk-Search/using-rex-inside-map-search/m-p/561951#M195442 a2021cdev 2021-08-03T20:14:25Z