Hi have a report that is sent of a daily basis.  The report provides a count for every one hour bucket. Sometimes  get 0s for a few of those hourly buckets. Instead of 0s being reported I would like for my query to replace the 0s with data from my lookup file.

index=xxx sourcetype=xxx | fields success_count | stats sum(success_count) as success_count by _time
| bin _time span=1h| stats max(success_count) as max_count by _time
| makecontinuous
| fillnull value=0
| inputlookup append=t "app_nullentries.csv"                                                                                                                                  | eval max_count=case(max_count="0" and !isnull(max_login_value), max_login_value, 1=1, max_login)

I need help getting my query to run the logic: if max_count=0, than get data from the the app_nullentries.csv and replace 0s with what is stated in the file. The file has the exact Date and time , and what value to replace the 0s with.