Re: I'm trying to use makeresults to test an alert...

alexl1 · ‎11-14-2019

I'm trying to use makeresults to test an alert but it doesn't work because "number of events" is always 0, but I thought the point of makeresults is to always make events?

aberkow · ‎11-14-2019

I'd suggest taking a look at the documentation, Splunk usually offers examples at the bottom of their docs pages https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Makeresults#Examples. The command doesn't actually create any "events", it looks like. It just creates "statistics" to play around with. For example, if you wanted to alert on something like "what happens when a field has a value of X", you could play around with the syntax like this:

| makeresults count=3 | streamstats count | eval fieldToAlertOn=case(count=1, "I'm Fine", count=2, "ALERT", count=3, "null") | search fieldToAlertOn="ALERT"

In this example, I create 3 fake rows, use streamstats to effectively number them, add a field with an eval/case pairing. You can then set this up as an alert and ensure that it successfully triggers, sends the right message to the right location, etc. You can probably extrapolate this to whatever case you need!

richgalloway · ‎11-14-2019

Please share your query.

---
If this reply helps you, Karma would be appreciated.

alexl1 · ‎11-14-2019

|makeresults

woodcock · ‎11-14-2019

That should do it. Are you sure that your alert threshold and other details are configured correctly?

I'm trying to use makeresults to test an alert but it doesn't work

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases