Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get stats count to include zero count by time?

lukas
Loves-to-Learn
‎08-11-2020 02:55 AM

Hi,
I have a lookup file like this -

users:
User1
User2
User3
User4
...


I need to count the events by user:

index=myindex 
| stats count as count by user
| inputlookup append=true userlist.csv
| fillnull count
| stats sum(count) as count by user
| table user count

It shows me the number of events per user in the CSV file.
If a user has no events, the count is 0:

usercount
User12593
User2301
User30
User41284

 

But I need the output additionally splitted over time (span=1h).
The output should look like this:

timeusercount
11.08.2020 11:00:00.000 User11023
11.08.2020 11:00:00.000User2190
11.08.2020 11:00:00.000User30
11.08.2020 11:00:00.000User41284
11.08.2020 12:00:00.000User11570
11.08.2020 12:00:00.000User2111
11.08.2020 12:00:00.000User30
11.08.2020 12:00:00.000User40
time + 1h......

 

I saw few other questions in splunk answers but they didnt work for me...
I hope you could help me. Thank a lot!

Labels (6)
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2020 05:50 AM

Perhaps this will help.

index=myindex 
| stats count as count by user
| inputlookup append=true userlist.csv
| fillnull count
| timechart span=1h sum(count) as count by user
| table user count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lukas
Loves-to-Learn
‎08-11-2020 06:24 AM

Thanks for the feedback. Unfortunately it does not work, if I use the timechart command like this, I do not get any results back.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...