Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

user with no activity

gnshah12345
Observer
‎05-13-2019 02:21 PM

We are monitoring the user activities for a day. The query is as follows.

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h |timechart count as "User Name" by remote_user.

The issue is if a user does not have activity than report is not showing that. We want the report to include the user with 0 activity. Is there a way to force that into search?

Tags (1)
0 Karma
Reply

gnshah12345
Observer
‎05-14-2019 11:28 AM

This works partially. I am getting the remote_users as a column in my table. However, the user, who does not have the activity is showing blank row instead 0. How can I force 0 when there is no activity?

0 Karma
Reply

adonio
Ultra Champion
‎05-13-2019 05:15 PM

try something like this:

remote_user=a OR remote_user=b OR remote_user=c index=my_index earliest=@d+450m latest=@d+18h 
|timechart count as "User Name" by remote_user 
| table _time a b c 
| fillnull value=0

hope it helps

0 Karma
Reply

gnshah12345
Observer
‎05-14-2019 11:30 AM

The result works partially. I am getting users as the column headers. However, the row is empty for user, who has no activity at all. The desirable result is to have 0 instead of blank.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...