Archive

How to create a number of dummy events?

Explorer

I was trying to find an answer for this in other threads, but unfortunately to no avail.
I'm trying to create dummy events imitating log entries.
Say I had two real log entries, one from 9/1/2016 of type "creation" (as in alert's creation) and the other one from 9/06/2016 of type "closure". What I want to do is create 4 dummy log entries of type "ongoing" in between the two (one for each day 2,3,4 and 5th of September).
Is there a way to do this? I found the "makeresults" command, but I doubt it's the right direction as I cannot think of a way to apply it to my problem.
Any help will be greatly appreciated.

0 Karma
1 Solution

Legend

To calculate days between start and complete, you can convert creation & completion dates to to epoch and then subtract. However, the events you've shared don't seem to have a time for creation/completion, so not sure how you plan to calculate "off hours" or anything related to hour of day for that matter. Given that, here's one approach to add "dummy days"

your base search | eval startdate=strptime(creation, "%-m/%-d/%Y")  | eval enddate=strptime(completion, "%-m/%-d/%Y") | eval workdays=mvrange(startdate, enddate, "1d") | mvexpand workdays

To this, if you have a lookup of holidays, you can flag those dates as "off hours" and you can exclude weekends like this

... | eval dow=strftime(workdays, "%w") | where dow<6 AND dow>0

Hope this gets you started. If not, please provide more sample/complete events and desired output

View solution in original post

Legend

To calculate days between start and complete, you can convert creation & completion dates to to epoch and then subtract. However, the events you've shared don't seem to have a time for creation/completion, so not sure how you plan to calculate "off hours" or anything related to hour of day for that matter. Given that, here's one approach to add "dummy days"

your base search | eval startdate=strptime(creation, "%-m/%-d/%Y")  | eval enddate=strptime(completion, "%-m/%-d/%Y") | eval workdays=mvrange(startdate, enddate, "1d") | mvexpand workdays

To this, if you have a lookup of holidays, you can flag those dates as "off hours" and you can exclude weekends like this

... | eval dow=strftime(workdays, "%w") | where dow<6 AND dow>0

Hope this gets you started. If not, please provide more sample/complete events and desired output

View solution in original post

Explorer

Thank you so much for suggesting the use of mvrange and mvexpand! I was looking to get dummy days between each log entry and with use of mvrange, mvexpand and delta functions I was able to achieve just that 🙂
Thanks again!

0 Karma

Super Champion

please use Eventgen app for it. You can generate it in your local laptop/dev environment and then upload to Splunk web. Or try to stick a universal forwarder in your local laptop/dev environment to do it automatically to your web.

0 Karma

Splunk Employee
Splunk Employee

Have you looked into creating an eventgen.conf to create your dummy events yet?

0 Karma

Explorer

I am using Web Splunk so I don't have access to .conf files I'm afraid 😕 Unless there's a way of achieving the same goal through the web UI

0 Karma

SplunkTrust
SplunkTrust

What are trying to accomplish with the dummy events? Perhaps there's another route to your goal without them.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

I need to calculate the "time to restore / actual working hours" for a ticket based on numerous conditions:

  1. Business Hours - each week day may have them different. Everything that is not within business hours should fall into "off clock" time.
  2. Holidays - they should be counted entirely as "off clock".
  3. Status "Pending" or "Resolved" - whenever the ticket goes into one of those, the clock should be stopped for the duration of the status.

Obviously the following conditions may overlap at times, so the only way I could think of for solving this problem was to search for "Creation", "Pending Start", "Pending End" and "Restoration" log entries and then split the days between each log entry into dummy log entries of type "Ongoing". Then I could put it all into a table and create help columns like "is_business_day", "is_pending", "is_holiday", "shift_start", "shift_end", "is_before_business_hours", "is_past_business_hours" etc with values of 0 or 1 per each log entry. This way even if two or more of the above conditions overlap (say a holiday and Pending status, they will be counted as one "off clock" time for as long as they overlap.
I hope this makes sense...

If you can think of a more straightforward solution then by all means please let me know 🙂

0 Karma