I'm currently working on 3 separate data sourcetypes that have similar information
Sourcetype 1 - Fields X,Y,Z
Sourcetype 2 - Fields A,Z
Sourcetype 3 - Fields A,B,C
I'd like to search across these 3 sourcetypes and collect stats information for things like Field X by Field B or C, but I'm struggling with how to complete this search without defaulting back to using joins, appends, subsearches, or some other suboptimal method.
I was trying the following search but kept running into the issue that only sourcetype 2 had both fields A & Z and the other sourcetypes would be dropped and my interesting fields with it:
(sourcetype=1) OR (sourcetype=2) OR (sourcetype=3)
| stats values(*) as * by A,Z
I also attempted to add a fillnull command, but was still met with a lack of interesting fields correlating correctly:
(sourcetype=1) OR (sourcetype=2) OR (sourcetype=3)
| fillnull A,Z
| stats values(*) as * by A,Z
The ultimate Goal is to have a table that lists a single row with X,Y,Z,A,B,C. From there I can begin to manipulate into other relevant stats, but I just can't figure out how to make that happen without using a join.
Any suggestions?
... View more