How to get stats count to include zero count by ti...

lukas · ‎08-11-2020

Hi,
I have a lookup file like this -

users:

User1

User2

User3

User4

...

I need to count the events by user:

It shows me the number of events per user in the CSV file.
If a user has no events, the count is 0:

user	count
User1	2593
User2	301
User3	0
User4	1284

But I need the output additionally splitted over time (span=1h).
The output should look like this:

time	user	count
11.08.2020 11:00:00.000	User1	1023
11.08.2020 11:00:00.000	User2	190
11.08.2020 11:00:00.000	User3	0
11.08.2020 11:00:00.000	User4	1284
11.08.2020 12:00:00.000	User1	1570
11.08.2020 12:00:00.000	User2	111
11.08.2020 12:00:00.000	User3	0
11.08.2020 12:00:00.000	User4	0
time + 1h	...	...

I saw few other questions in splunk answers but they didnt work for me...
I hope you could help me. Thank a lot!

richgalloway · ‎08-11-2020

Perhaps this will help.

index=myindex 
| stats count as count by user
| inputlookup append=true userlist.csv
| fillnull count
| timechart span=1h sum(count) as count by user
| table user count

---
If this reply helps you, Karma would be appreciated.

lukas · ‎08-11-2020

Thanks for the feedback. Unfortunately it does not work, if I use the timechart command like this, I do not get any results back.

How to get stats count to include zero count by time?

count

eval

lookup

stats

subsearch

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms