https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412938#M119027 <P>I was hoping to have a static list and if no events match default to 0. </P> Tue, 11 Jun 2019 16:47:41 GMT jenkinsta 2019-06-11T16:47:41Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412935#M119024 <P>I have a search that gets the count of events by users which works well. However, I want to have the chart list all users and not only the ones in the result set. </P> <P>The result set includes userA, userB, userC however, I want my chart to be built like the following:</P> <PRE><CODE>userA, userB, userC, userD, userE </CODE></PRE> <P>If no results then 0 otherwise if the user returns a result shows that the chart reflects. </P> <P>Users.csv has a list of users matching that is returned in the search as owner: userA = 01, userB=02, etc.</P> <PRE><CODE>index=myindex status=open | lookup users.csv owner OUTPUT userID | chart count by userID </CODE></PRE> Tue, 11 Jun 2019 15:19:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412935#M119024 jenkinsta 2019-06-11T15:19:41Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412936#M119025 <P>Hi @jenkinsta,</P> <P>Could you please share your search query with us so we can help you out better ?</P> <P>To fill null values with 0 you can use the <CODE>fillnull</CODE> command or an <CODE>eval</CODE> logic with an <CODE>if</CODE> and <CODE>isnull</CODE> parameter. </P> <P>Cheers,<BR /> David</P> Tue, 11 Jun 2019 16:12:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412936#M119025 DavidHourani 2019-06-11T16:12:38Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412937#M119026 <P>@jenishka- If there are no events related to some users , how do you know the user names? Is it always going to be certain static users or is there a lookup for user ids?</P> Tue, 11 Jun 2019 16:30:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412937#M119026 Vijeta 2019-06-11T16:30:07Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412938#M119027 <P>I was hoping to have a static list and if no events match default to 0. </P> Tue, 11 Jun 2019 16:47:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412938#M119027 jenkinsta 2019-06-11T16:47:41Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412939#M119028 <P>@jenkinsta you can try something like this-</P> <PRE><CODE>index=&lt;yourindexname&gt; sourcetype=&lt;yoursourcetype&gt; | stats count by owner| append [|inputlookup users.csv| eval count =0 | fields owner count] | chart sum(count) as total by owner </CODE></PRE> Tue, 11 Jun 2019 17:10:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412939#M119028 Vijeta 2019-06-11T17:10:53Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412940#M119029 <P>SOmething like this should do it</P> <PRE><CODE>index=myindex status=open | lookup users.csv owner OUTPUT userID | chart count by userID | append [| inputlookup users.csv | table userID | eval count=0] | chart max(count) by userID </CODE></PRE> Tue, 11 Jun 2019 17:49:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-count-by-events-and-name/m-p/412940#M119029 somesoni2 2019-06-11T17:49:39Z