Hello, I am looking for a search query that can also be used as a dashboard.
The query has to search two different sourcetypes , look for data (eventtype,file...etc.) and if the information is missing in one sourcetype and found in another, then it will provided that data for that sourcetype.
You can use a case
statement to do this
... | eval Your_field=case(sourcetype == sourcetype1, "true", sourcetype == sourcetype2, "true" , 1=1, "false")
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions
Could you be more specific in your requirement, supported with sample queries/events and expected output?
You can use a case
statement to do this
... | eval Your_field=case(sourcetype == sourcetype1, "true", sourcetype == sourcetype2, "true" , 1=1, "false")
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions