I've a CSV file which contains two values per row, 'Filter' and 'Timing'. Essentially the Filter will specify a value to search across a series of events either a field value or text in message etc. The Timing value is used in another query. What I'm after is a search query that executes this lookup file against the events and returns a count of matches for each, and more importantly, returns those for which no events where found. My current query (which does not return those with no events) is:


| inputlookup my_lookup
| eval Filter=$Filter$ | map [search source=MySource $Filter$] | stats count by EventName


So for a CSV like this:

Filter,Timing

Text found in Event A messages, 100

Text found in Event B messages, 400

Text found in Event C messages, 300

which returns something like:

EventName | Count

EventA | 250

EventB | 175

when there are matches for the first two rows but none for the second. Ideally what I'd like is:

EventName | Filter | Count

EventA | Text found in Event A messages | 250

EventB | Text found in Event B messages | 175

            | Text found in Event C messages | 0

Can anyone point me in the right direction?