I have a search that gets the count of events by users which works well. However, I want to have the chart list all users and not only the ones in the result set.
The result set includes userA, userB, userC however, I want my chart to be built like the following:
userA, userB, userC, userD, userE
If no results then 0 otherwise if the user returns a result shows that the chart reflects.
Users.csv has a list of users matching that is returned in the search as owner: userA = 01, userB=02, etc.
index=myindex status=open
| lookup users.csv owner OUTPUT userID
| chart count by userID
SOmething like this should do it
index=myindex status=open
| lookup users.csv owner OUTPUT userID
| chart count by userID
| append [| inputlookup users.csv | table userID | eval count=0]
| chart max(count) by userID
@jenishka- If there are no events related to some users , how do you know the user names? Is it always going to be certain static users or is there a lookup for user ids?
I was hoping to have a static list and if no events match default to 0.
@jenkinsta you can try something like this-
index=<yourindexname> sourcetype=<yoursourcetype> | stats count by owner| append [|inputlookup users.csv| eval count =0 | fields owner count] | chart sum(count) as total by owner
Hi @jenkinsta,
Could you please share your search query with us so we can help you out better ?
To fill null values with 0 you can use the fillnull
command or an eval
logic with an if
and isnull
parameter.
Cheers,
David