Dashboards & Visualizations

How to fake real time data on dashboard panel?


HI fellow splunkies, and a good to to you,

I would like to know if following is possible:

Data base is historic data in a csv file. Total timerange of this data is two minutes.

Is it possible to show this data on a dashboard panel and make it look like it´s real time data?

Its for a demo and I would like the data to flow in "realtime", during a time period of 2 minutes until all the data from the csv file is read.

I hope that somehow made sense.

Maybe an example could clarify that a bit more:

Lets assume we have a video of a car accelerating form 0 to 60, and this is happining because we have a real shitty car, in 2 minutes.

As an overlay I would like to show the historic data of this acceleration in "real time" during the vid.

I appreciate any kind of idea 🙂

Thank you


0 Karma


Hello @dkeck,

please have a look at the following query, and adapt it to your needs.

| makeresults count=40 
| eval high = 80
| eval low = 10
| eval val = round(((random() % high)/(high)) * (high - low) + low)
| streamstats count as TheRecordNumber
| eval time=_time-10*TheRecordNumber
| eval _time=time
| table _time,val
0 Karma


@dkeck, you can use Eventgen app which does exactly the same.

| makeresults | eval message= "Happy Splunking!!!"


I do had a look at this app and already installed it, but I am not quite sure how to set this up after reading the tutorial http://splunk.github.io/eventgen/TUTORIAL.html

Still missing the option on delaying it to make it look like realtime

0 Karma


firstly i like the name of the question 🙂
You can sort of try to achieve this through a scripted input
You can execute a python or a simple script and as the script to pull and update the same index with a small time pause.
For example, say you have 50 data points in a 2 minutes range, you can write a script that picks the first 10 data points in the first run, next 10 in the next run and so on..

0 Karma


Thank you for the fast answer, do you might have an example on how to set this up?

So clear is, set up an input stanza, and refer to the script in /bin.


then I would add stuff like


but how would I handle the interval you mentioned ( 50 data points 10 per run)? How does the script have to look like?

0 Karma


hi i didnt know about the event gen app like @niketnilay mentions, check that out?
The settings to pick up discrete events will come in your base script, not splunk is the way i look at it.
So, assuming you have 50 data points your shell script should pick up discrete values(10-20-20) in each run, splunk will always execute the script real time.
Since this is a demo you just need to let it run thrice, you can block it in your base script say if he script is run more than 3 times 🙂
just a generic idea...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...