using rex inside map search - Splunk Community

Splunk Search

index=error sourcetype=error_log "Retry counter reached"
| makemv delim="=",values
| dedup errId
| table errId
| map search="search index=error sourcetype=error_log $errId$ "Caused by" | head 1 | rex field=_raw "MessageText=(?<FailureReason>.+) Please report to system admin"
| eval FailureReason=\"$FailureReason$\"
| eval errId=\"$errId$\""
| table errId, FailureReason

The above query does not show any results. If i run the searches separately, i do see the output. What is wrong with the query please?

The query does not meet my requirement. It only lists errId and not the failure reason.

Hi @a2021cdev,

Since you are searching same index and sourcetype, you don't need map. Try this:

index=error sourcetype=error_log "Retry counter reached" OR "Caused by"
| rex  "MessageText=(?<FailureReason>.+) Please report to system admin"
| stats max(FailureReason) by errId

The query does not meet my requirement. It does not correlate errId with failure reason.

Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...