Naturally if there are no events, you will never get a count of 0 for a user./ The standard way of looking for things that have NOT happened in Splunk is to do this type of logic index=index sourcetype=sourcetype Activity="logged on"
| stats count over by User
| append [
| inputlookup list_of_ALL_users.csv
| fields User
| eval count=0
]
| stats max(count) as count by User
| where count=0 You need to have the complete list of users maintained somewhere to know what users you are expecting to see, so this first counts the users that have logged on through data, then adds all the users from the CSV file and then looks for those users who have a count of 0 Note that looking back over 90 days may be an expensive search if you are running it regularly - if that is an issue, consider doing a daily summary of users who have logged on and then your search will be much faster.
... View more