Splunk Search

cant query data from 2 sources at the same time

jukiefc
New Member

My set is up

2 sources imported from csv

test1.csv
test2.csv

now both files have fields with dates in them

12_May
11_May
10_May
etc

the only different another file might not have the 11_May

so test1
10_May
11_May
12_May

test 2
10_May
12_May

so 11_May is missing from test2

so i can see 11_may when i use the source file test1 but if start adding the other file to the source such as test2, the search breaks.

I will have many csv files being imported with missing fields for dates, this wont be consistent fields

i have tried source="*"
test1 OR test2
test1 AND test2

basically i want is if the field(Date) does not exist in one of the csv files to just add 0 into the column that we have created for all dates in the table.

so it would be
Test 1 got
Name 10_May 11_May 12_May Total
Joe 2 3 0 5

Test 2
Name 10_May 12 May Total

Joe 2 0 2

Splunk Dashboard should show

Name 10_May 11_May 12_May Total
Joe 2 3 0 5

But the whole thing breaks when you are dealing with missing dates fields. Could you please put me on the right path on how i should be solving this. Thanks for reading.

Tags (2)
0 Karma

jukiefc
New Member

Update

I might be on the right path with the following command
| fillnull d16m value=0

so this might be the answer

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...