Hi @onelasttime, as @richgalloway said, Splunk lists only the results it found so to have also the not found values you have to add them. The way to do this depends on the kind of objects to search; e.g. if you have to identify the hosts that disn't received logs, you could create a lookup (called e.g. perimeter.csv) containing the field to search (e.g. host) and then run a search like this: index=your_index | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total By host | where total=0 So, when you speak of "a list of identifiers" are you speaking of strings to find in the full events (_row) or values of a field? If values of a field, you could use the same approach od my sample, if instead you're meaning of strings to search in the full events (_row)  is just a little more complicated. Ciao. Giuseppe ... View more