https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526197#M148515 <P class="p1"><SPAN class="s1">I am looking for a way to list the counts by customer (for example, including 0 activity) for the past hour, among all customers so far that has had activity since the start of the day.</SPAN></P><P class="p1"><SPAN class="s1">Example: John (15), Dave (10) and Maria (8) so far for the day. Within the past hour: Dave (3).</SPAN></P><P class="p1"><SPAN class="s1">The result I am looking for is something like this:</SPAN></P><P class="p1"><SPAN class="s1">John (0), Dave (3), Maria (0).</SPAN></P><P class="p1"><SPAN class="s1">I have looked at map, joins and subsearches, but nothing<SPAN class="Apple-converted-space">&nbsp; </SPAN>so far works. I need to list the 0 activity as well since they have been active for the day, just not in the last hour. Any ideas?</SPAN></P> Fri, 23 Oct 2020 09:10:30 GMT OliverG91 2020-10-23T09:10:30Z https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526197#M148515 <P class="p1"><SPAN class="s1">I am looking for a way to list the counts by customer (for example, including 0 activity) for the past hour, among all customers so far that has had activity since the start of the day.</SPAN></P><P class="p1"><SPAN class="s1">Example: John (15), Dave (10) and Maria (8) so far for the day. Within the past hour: Dave (3).</SPAN></P><P class="p1"><SPAN class="s1">The result I am looking for is something like this:</SPAN></P><P class="p1"><SPAN class="s1">John (0), Dave (3), Maria (0).</SPAN></P><P class="p1"><SPAN class="s1">I have looked at map, joins and subsearches, but nothing<SPAN class="Apple-converted-space">&nbsp; </SPAN>so far works. I need to list the 0 activity as well since they have been active for the day, just not in the last hour. Any ideas?</SPAN></P> Fri, 23 Oct 2020 09:10:30 GMT https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526197#M148515 OliverG91 2020-10-23T09:10:30Z https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526205#M148519 <LI-CODE lang="markup">``` get hourly count by user over period of search ``` | bin span=1h _time | stats count by user _time ``` reset counts to zero for earlier hours ``` | eval count=if(_time &gt;= relative_time(now(),"@h"), count, 0) ``` sum counts by user ``` | stats sum(count) as count by user</LI-CODE> Fri, 23 Oct 2020 10:16:22 GMT https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526205#M148519 ITWhisperer 2020-10-23T10:16:22Z https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526279#M148540 <P>It worked perfectly,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;. Thank you very much!</P> Fri, 23 Oct 2020 20:52:17 GMT https://community.splunk.com/t5/Splunk-Search/Activity-Counts/m-p/526279#M148540 OliverG91 2020-10-23T20:52:17Z