https://community.splunk.com/t5/Splunk-Search/Getting-data-from-referenced-sources-if-no-data-found-in/m-p/635054#M220631 <P>After reading the question again and again, I think I get the gist of the setup: the key is the differentiation between "<SPAN>selected source" and "referenced source". (The repeated use of Source_A and Source_B in both contexts makes the question extremely confusing.)</SPAN></P><P><SPAN>But it is still unclear what "data" means in each of the word's four occurrences, and what "no data found" or "get data" really mean. &nbsp;Let me make the following assumptions:</SPAN></P><UL><LI><SPAN>"data" simply means some value of a given field, or values of select fields.</SPAN></LI><LI><SPAN>"no data found" mean that given field has no value in the "selected source". &nbsp;Whether the field appeared in the source as null value or the field name doesn't appear in that source is unimportant.</SPAN></LI></UL><P>For simplicity, I will be looking for a field named 'data'.</P><LI-CODE lang="markup">index=sample_index data=* (source="D:\datasource\*\release.xml" OR souce=D:\datasource\$selected_source$\referenced_source.txt) | eval referenced_source = if(source == "D:\datasource\$selected_source$\referenced_source.txt", split(_raw, ","), null()) | eval referenced_source = mvmap(referenced_source, "D:\datasource\\" . referenced_source . "\release.xml") | where source == "D:\datasource\$selected_source$\release.xml" OR source == referenced_source | eval selected_data = if(source == "D:\datasource\$selected_source$\release.xml", data, null()) | stats latest(data) as latest_data values(selected_data) as selected_data | eval data = coalesce(selected_data, latest_data)</LI-CODE><P>So, it is possible to do what you wanted if the assumptions are correct. &nbsp;But it is not going to be particularly efficient because all sources have to be retrieved.</P> Sun, 19 Mar 2023 07:54:01 GMT yuanliu 2023-03-19T07:54:01Z https://community.splunk.com/t5/Splunk-Search/Getting-data-from-referenced-sources-if-no-data-found-in/m-p/634235#M220304 <P>Hi all,</P><P>I want to get data from an xml file from a selected source ( eg: <STRONG>Source_A</STRONG>, <STRONG>Source_B</STRONG>, ...). When there is no data found in xml file, is it possible to get data from the referenced xml sources and pick the latest one to display the data? The referenced sources are in a text file in the same location of selected source.</P><P>The structure of folders look like this:</P><UL><LI>D:\datasource\<STRONG>&lt;source_name&gt;</STRONG>\release.xml</LI><LI>D:\datasource\<STRONG>&lt;source_name&gt;</STRONG>\referenced_sources.txt</LI></UL><P>The referenced_source text file contains values seperated by commas. Example:</P><LI-CODE lang="markup">Source_A,Source_B</LI-CODE><P>And my current SPL to retrieve data is:</P><LI-CODE lang="markup">index=sample_index source=*$selected_source$* source="*.xml"</LI-CODE><P>&nbsp;</P><P>Thanks in advance</P> Mon, 13 Mar 2023 10:09:31 GMT https://community.splunk.com/t5/Splunk-Search/Getting-data-from-referenced-sources-if-no-data-found-in/m-p/634235#M220304 boxmetal 2023-03-13T10:09:31Z https://community.splunk.com/t5/Splunk-Search/Getting-data-from-referenced-sources-if-no-data-found-in/m-p/635054#M220631 <P>After reading the question again and again, I think I get the gist of the setup: the key is the differentiation between "<SPAN>selected source" and "referenced source". (The repeated use of Source_A and Source_B in both contexts makes the question extremely confusing.)</SPAN></P><P><SPAN>But it is still unclear what "data" means in each of the word's four occurrences, and what "no data found" or "get data" really mean. &nbsp;Let me make the following assumptions:</SPAN></P><UL><LI><SPAN>"data" simply means some value of a given field, or values of select fields.</SPAN></LI><LI><SPAN>"no data found" mean that given field has no value in the "selected source". &nbsp;Whether the field appeared in the source as null value or the field name doesn't appear in that source is unimportant.</SPAN></LI></UL><P>For simplicity, I will be looking for a field named 'data'.</P><LI-CODE lang="markup">index=sample_index data=* (source="D:\datasource\*\release.xml" OR souce=D:\datasource\$selected_source$\referenced_source.txt) | eval referenced_source = if(source == "D:\datasource\$selected_source$\referenced_source.txt", split(_raw, ","), null()) | eval referenced_source = mvmap(referenced_source, "D:\datasource\\" . referenced_source . "\release.xml") | where source == "D:\datasource\$selected_source$\release.xml" OR source == referenced_source | eval selected_data = if(source == "D:\datasource\$selected_source$\release.xml", data, null()) | stats latest(data) as latest_data values(selected_data) as selected_data | eval data = coalesce(selected_data, latest_data)</LI-CODE><P>So, it is possible to do what you wanted if the assumptions are correct. &nbsp;But it is not going to be particularly efficient because all sources have to be retrieved.</P> Sun, 19 Mar 2023 07:54:01 GMT https://community.splunk.com/t5/Splunk-Search/Getting-data-from-referenced-sources-if-no-data-found-in/m-p/635054#M220631 yuanliu 2023-03-19T07:54:01Z