You might want to provide a specific example as to what your expected results should look like. Do you want a table or a timechart or something else? If you have a list of processes (I'm using a list of sourcetypes here) and you want to show which of them are running, try something like this: | makeresults count=1 | fields - _time | eval sourcetype="splunkd,audittrail,something,something_else" | makemv sourcetype delim="," | mvexpand sourcetype | join type=left sourcetype [search index=_* | dedup sourcetype | table sourcetype | eval Status="ON"] | fillnull value="OFF" Status This gives me the following: Status sourcetype ON splunkd ON audittrail OFF something OFF something_else ... View more