I have a file like this:

Time,User-Name,Action
Thu Mar 7 15:09:22,admin,login
Thu Mar 7 17:46:21,admin,login
Thu Mar 7 18:01:33,admin,logout
Thu Mar 7 18:17:23,1111,login
Thu Mar 7 18:37:02,admin,login
Thu Mar 7 19:00:02,admin,logout
Thu Mar 7 19:05:21,admin,logout
Thu Mar 7 20:51:23,1111,logout
Thu Mar 7 21:10:45,admin,logout

I want to plot a timechart of open sessions per each user in the log file. Having read this
and this discussions, I wrote this query:

source="Accounting01" | eval Diff=if(Action="login", 1, if(Action="logout", -1, 0)) | bin _time | stats sum(Diff) as OpenSessions by _time User_Name | streamstats sum(OpenSessions) as OpenSessions by User_Name | eval Str_Time=strftime(_time, "%d-%m-%Y %H:%M:%S") | chart max(OpenSessions) as "Open sessions" by User_Name, Str_Time

This is how it looks now:

The problem is that some of the data is not shown, e. g. there is seemingly 0 sessions for admin between 18:00 and 18:35 while from the data it is obvious that they were logged in the whole time. Same with 1111: they should have 1 session for every point in time until they log out. It is more obviously reflected in the tabular version of the data:

Is it possible to alter the query so that the running sum per each user is stored per each event, even if it is 0 the whole time?

inputs.conf:

[monitor:///home/user/tmp/accounting01.csv]
disabled = false
sourcetype = Acc01
source = Accounting01

props.conf:

[Acc01]
REPORT-rep = Acc01_Fields
TRANSFORMS-skip = Skip_Header

transforms.conf:

[Acc01_Fields]
DELIMS = ","
FIELDS = "Time", "User_Name", "Action"

[Skip_Header]
REGEX = Time,
DEST_KEY = queue
FORMAT = nullQueue