How to chart count by events and name?

jenkinsta · ‎06-11-2019

I have a search that gets the count of events by users which works well. However, I want to have the chart list all users and not only the ones in the result set.

The result set includes userA, userB, userC however, I want my chart to be built like the following:

userA, userB, userC, userD, userE

If no results then 0 otherwise if the user returns a result shows that the chart reflects.

Users.csv has a list of users matching that is returned in the search as owner: userA = 01, userB=02, etc.

index=myindex status=open
| lookup users.csv owner OUTPUT userID
| chart count by userID

somesoni2 · ‎06-11-2019

SOmething like this should do it

index=myindex status=open
| lookup users.csv owner OUTPUT userID
| chart count by userID
| append [| inputlookup users.csv | table userID | eval count=0]
| chart max(count) by userID

Vijeta · ‎06-11-2019

@jenishka- If there are no events related to some users , how do you know the user names? Is it always going to be certain static users or is there a lookup for user ids?

jenkinsta · ‎06-11-2019

I was hoping to have a static list and if no events match default to 0.

Vijeta · ‎06-11-2019

@jenkinsta you can try something like this-

index=<yourindexname> sourcetype=<yoursourcetype> | stats count by owner| append [|inputlookup users.csv| eval count =0 | fields owner count] | chart sum(count) as total by owner

DavidHourani · ‎06-11-2019

Hi @jenkinsta,

Could you please share your search query with us so we can help you out better ?

To fill null values with 0 you can use the fillnull command or an eval logic with an if and isnull parameter.

Cheers,
David

How to chart count by events and name?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update