topic Re: user with no activity in Splunk Search

user with no activity

gnshah12345 — Wed, 30 Sep 2020 00:30:15 GMT

We are monitoring the user activities for a day. The query is as follows.

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h |timechart count as "User Name" by remote_user.

The issue is if a user does not have activity than report is not showing that. We want the report to include the user with 0 activity. Is there a way to force that into search?

Re: user with no activity

adonio — Tue, 14 May 2019 00:15:12 GMT

try something like this:

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h 
|timechart count as "User Name" by remote_user 
| table _time a b c 
| fillnull value=0

hope it helps

Re: user with no activity

gnshah12345 — Tue, 14 May 2019 18:28:31 GMT

This works partially. I am getting the remote_users as a column in my table. However, the user, who does not have the activity is showing blank row instead 0. How can I force 0 when there is no activity?

Re: user with no activity

gnshah12345 — Tue, 14 May 2019 18:30:12 GMT

The result works partially. I am getting users as the column headers. However, the row is empty for user, who has no activity at all. The desirable result is to have 0 instead of blank.