splunk map pass multiple values

Question

I want to create an alert based on the following search:

• search string "a.string"
• extract field xx, yy
• then search "another.string" AND xx
• then extract field zz
• |table xx, yy, zz

Here is what I came up with (removed other fixed strings in the rex lines):

index=* "a.string" 
| rex field=_raw "(?P<xx>\S+) (?P<yy>\S+)" 
| map maxsearches=100 search="search index=* "another.string" AND $xx$ 
  | rex field=_raw (?P<zz>\S+)"
  | eval temp_xx=\"$xx$\"
  | eval temp_yy=\"$yy$\""
| eval xx=temp_xx
| eval yy=temp_yy
| fields - temp_xx
| fields - temp_yy
| table xx, yy, zz

everything works well, including I got values for xx, zz in the final search result table.

Except, However in that final search result table yy is always empty.

I can see all the multiple values for xx, yy, zz when clicking "Events" tab on the Splunk webgui, so that means my both searches were successful.

But why I can't get the values for yy in the final search result table, and how to resolve?

Answer 1

You might try something like this (presuming you have a common field like hostname in each event):

index=ndx sourcetype=srctp ("a.string" OR "another.string")
| rex field=_raw "some text that exists in events with a.string (?<xx>\S+) (?<yy>\s+)"
| rex field=_raw "other text found with another.string (?<zz>\S+)"
| fields xx yy zz hostname
| stats values(*) as * by hostname
| where isnotnull(xx) AND isnotnull(zz)