Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get stats count to include zero count by time?

lukas
Loves-to-Learn
‎08-11-2020 02:55 AM

Hi,
I have a lookup file like this -

users:
User1
User2
User3
User4
...


I need to count the events by user:

index=myindex 
| stats count as count by user
| inputlookup append=true userlist.csv
| fillnull count
| stats sum(count) as count by user
| table user count

It shows me the number of events per user in the CSV file.
If a user has no events, the count is 0:

usercount
User12593
User2301
User30
User41284

 

But I need the output additionally splitted over time (span=1h).
The output should look like this:

timeusercount
11.08.2020 11:00:00.000 User11023
11.08.2020 11:00:00.000User2190
11.08.2020 11:00:00.000User30
11.08.2020 11:00:00.000User41284
11.08.2020 12:00:00.000User11570
11.08.2020 12:00:00.000User2111
11.08.2020 12:00:00.000User30
11.08.2020 12:00:00.000User40
time + 1h......

 

I saw few other questions in splunk answers but they didnt work for me...
I hope you could help me. Thank a lot!

Labels (6)
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2020 05:50 AM

Perhaps this will help.

index=myindex 
| stats count as count by user
| inputlookup append=true userlist.csv
| fillnull count
| timechart span=1h sum(count) as count by user
| table user count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lukas
Loves-to-Learn
‎08-11-2020 06:24 AM

Thanks for the feedback. Unfortunately it does not work, if I use the timechart command like this, I do not get any results back.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...