Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generating _events_ in search

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2021 03:32 AM

Hello there.

I was wondering... is there any way to generate _events_ in search?

I mean, I know of the makeresults command of course but it generates stats results, not events per se.

Is there any way to generate events search-time, to - for example - test parsing rules?

Something like (pseudocode):

| <generate_my_events> | eval _raw="blah blah" | eval source="syslog" | eval sourcetype="whatever:syslog"
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2021 06:19 AM

Tried that 🙂 That was my first obvious choice.

It generates the results as stats, not as events.

PickleRick_0-1636467333474.png

As I said, the point is mostly to check parsing without the need of external event source.

But I just thought of something else 🙂
I still can't generate the event "on the fly" but I can generate it with makeresults and then write it to a test index with collect. It doesn't give me much flexibility in the host/time/source area but those are indexed fields anyway. But sourcetype can be specified with collect so I think I'm good.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ldongradi_splun
Splunk Employee
Splunk Employee
‎12-10-2021 03:01 AM

It's possible to append makeresults to an events search so to generate events instead of a stats table, with that syntax :

index=dummy earliest=-1s
| append [| makeresults count=8935 | eval _time=('_time' - (random() % 86400))]

After that you can play with the number of events and the timrange (here with a backfill of 24h).

You can improve the events content with some random data before closing the subsearch:

 | eval ip=((((("10." . (((random() % 4) * 10) + 10)) . ".") . ((random() % 16) + 17)) . ".") . ((random() % 16) + 33))

 

| eval _spacelist="Lungdanum Londres Londra Londar Landan Londin Lonn London Paris Parigi Paras Lutetia Parais Paras Pari Paries Pariis Pariisi Parijs Ba-le Parisium New-York Berlin Washington Kathmandu"
| makemv delim=" " _spacelist
| eval city=mvindex(_spacelist,((random() % mvcount(_spacelist)) - 1)) 

 

| eval _dashlist=" problem- issue- situation- operation- intervention-" 
| makemv delim="-" _dashlist 
| eval operation=mvindex(_dashlist,((random() % mvcount(_dashlist)) - 1))

 

And end up with:

| eval _raw=_time.operation." in ".city." from ".ip
  • There nothing indexed.
  • Events are generated on the fly.
  • You can create your own lists with or without a lookup.
  • You can add that to a dashboard to make it more interactive.

ldongradi_splun_0-1639134057621.png

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-10-2021 03:58 AM

Now that's a neat trick!

It seems that it indeed does generate events instead of stats table.

Unfortunately, those events are not parsed.

For example - the same event as a result from the normal search:

PickleRick_0-1639137405450.png

And the same event re-created with makeresults:

PickleRick_1-1639137470970.png

Of course I wouldn't expect index-time extractions to work but apparently search-time transforms are not applied either.

0 Karma
Reply
Solved! Jump to solution

ldongradi_splun
Splunk Employee
Splunk Employee
‎12-10-2021 04:13 AM

If you want it indexed and parsed, you can make it a scheduled saved search to run every 5' with an extra

| outputcsv append=true tobeindexed.csv

Then ensure you monitor that file and you can define whatever parsing settings you want.

Personally, I use a dashboard to generate some events with either a log format or a JSON format, and I add a filter to reduce activity by a random of 50% for night hours and 20% for weekends.

I can generate thousands of events in a blip, export them as a file, and test my parsing settings easily.

For more advanced types and inputs, I use the SA_eventgen.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 05:24 AM

gentimes is another event generating command particularly if you want time-based dummy data

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2021 05:18 AM

Use makeresults to generate events then use eval commands to add the desired fields to those events.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2021 06:19 AM

Tried that 🙂 That was my first obvious choice.

It generates the results as stats, not as events.

PickleRick_0-1636467333474.png

As I said, the point is mostly to check parsing without the need of external event source.

But I just thought of something else 🙂
I still can't generate the event "on the fly" but I can generate it with makeresults and then write it to a test index with collect. It doesn't give me much flexibility in the host/time/source area but those are indexed fields anyway. But sourcetype can be specified with collect so I think I'm good.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...