You could try multisearch, something like this
|multisearch
[ search Source A
| search search query
| fields all fields you want from that search]
[ search Source B
| search search query
| fields all fields you want from that search]
[ search Source C
| search search query
| fields all fields you want from that search]
| eval Source A=if(like(field A),"field B",field C)
For example I use it for Potential Malicious User agents:
| multisearch
[ search (index=proxy) "script"
| search http_user_agent="script"
| fields _time, http_user_agent, src_ip, url]
[ search (index=proxy OR sourcetype=f5*) "Iceweasel"
| search http_user_agent="Iceweasel"
| fields _time, http_user_agent, src_ip, url]
[ search (index=proxy OR sourcetype=f5*) "Meterpreter/Windows"
| search http_user_agent="*Meterpreter/Windows"
| fields _time, http_user_agent, src_ip, url]
[ search (index=proxy OR sourcetype=f5*) "Mozilla/5.00 (Nikto/"
| search http_user_agent="Mozilla/5.00 (Nikto/*"
| fields _time, http_user_agent, src_ip, url]
[ search (index=proxy OR sourcetype=f5*) "dirb"
| search http_user_agent="dirb"
| fields _time, http_user_agent, src_ip, url]
[ search (index=proxy OR sourcetype=f5*) "WinHttp.WinHttpRequest"
| search http_user_agent="Win32; WinHttp.WinHttpRequest"
| fields _time, http_user_agent, src_ip, url]
| eval suspect_issue=if(like(http_user_agent,"%script%"),"Cross Site Scripting",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%Iceweasel%"),"Kali",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%Meterpreter%"),"Meterpreter",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%(Nikto/%"),"Nikto Scanning",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%dirb%"),"DirbScanning",suspect_issue)
| eval suspect_issue=if(like(http_user_agent,"%WinHttp.WinHttpRequest%"),"WScript",suspect_issue)
| stats latest(_time) AS Latest, values(url) as url by http_user_agent, suspect_issue, src_ip
... View more