user with no activity

gnshah12345 · ‎05-13-2019

We are monitoring the user activities for a day. The query is as follows.

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h |timechart count as "User Name" by remote_user.

The issue is if a user does not have activity than report is not showing that. We want the report to include the user with 0 activity. Is there a way to force that into search?

gnshah12345 · ‎05-14-2019

This works partially. I am getting the remote_users as a column in my table. However, the user, who does not have the activity is showing blank row instead 0. How can I force 0 when there is no activity?

adonio · ‎05-13-2019

try something like this:

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h 
|timechart count as "User Name" by remote_user 
| table _time a b c 
| fillnull value=0

hope it helps

gnshah12345 · ‎05-14-2019

The result works partially. I am getting users as the column headers. However, the row is empty for user, who has no activity at all. The desirable result is to have 0 instead of blank.

user with no activity

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

user with no activity

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability