using rex inside map search - Splunk Community

Splunk Search

index=error sourcetype=error_log "Retry counter reached"
| makemv delim="=",values
| dedup errId
| table errId
| map search="search index=error sourcetype=error_log $errId$ "Caused by" | head 1 | rex field=_raw "MessageText=(?<FailureReason>.+) Please report to system admin"
| eval FailureReason=\"$FailureReason$\"
| eval errId=\"$errId$\""
| table errId, FailureReason

The above query does not show any results. If i run the searches separately, i do see the output. What is wrong with the query please?

The query does not meet my requirement. It only lists errId and not the failure reason.

Hi @a2021cdev,

Since you are searching same index and sourcetype, you don't need map. Try this:

index=error sourcetype=error_log "Retry counter reached" OR "Caused by"
| rex  "MessageText=(?<FailureReason>.+) Please report to system admin"
| stats max(FailureReason) by errId

The query does not meet my requirement. It does not correlate errId with failure reason.

Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Observe and Secure All Apps with Splunk

Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us for an ...