cant query data from 2 sources at the same time

jukiefc · ‎05-18-2020

My set is up

2 sources imported from csv

test1.csv
test2.csv

now both files have fields with dates in them

12_May
11_May
10_May
etc

the only different another file might not have the 11_May

so test1
10_May
11_May
12_May

test 2
10_May
12_May

so 11_May is missing from test2

so i can see 11_may when i use the source file test1 but if start adding the other file to the source such as test2, the search breaks.

I will have many csv files being imported with missing fields for dates, this wont be consistent fields

i have tried source="*"
test1 OR test2
test1 AND test2

basically i want is if the field(Date) does not exist in one of the csv files to just add 0 into the column that we have created for all dates in the table.

so it would be
Test 1 got
Name 10_May 11_May 12_May Total
Joe 2 3 0 5

Test 2
Name 10_May 12 May Total

Joe 2 0 2

Splunk Dashboard should show

Name 10_May 11_May 12_May Total
Joe 2 3 0 5

But the whole thing breaks when you are dealing with missing dates fields. Could you please put me on the right path on how i should be solving this. Thanks for reading.

jukiefc · ‎05-18-2020

Update

I might be on the right path with the following command
| fillnull d16m value=0

so this might be the answer

cant query data from 2 sources at the same time

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

cant query data from 2 sources at the same time

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits