Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you add dummy events to a search result?

Marinus
Communicator
‎05-08-2012 05:23 AM

I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way?

* | table name phone

Let's assume I need to add another name?

* | dummy_event name=bob, phone=555-1234 |table name phone
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎05-08-2012 07:06 AM

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t

View solution in original post

Reply
Solved! Jump to solution

bbialek
Path Finder
‎01-31-2018 04:11 PM

Here is something that can help you... First, generate dummy columns and single row of results:

 index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2
┌──────┬──────┐
│ col1 │ col2 │
├──────┼──────┤
│ beep │ boop │
└──────┴──────┘

Append data from another dummy search:

index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ]
┌─────────┬───────┐
│  col1   │ col2  │
├─────────┼───────┤
│ beep    │ boop  │
│ science │ magic │
└─────────┴───────┘
Reply
Solved! Jump to solution

greich
Communicator
‎02-01-2018 12:33 AM

as mentioned above, the correct answer is the markresults command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma
Reply
Solved! Jump to solution

rstitt
Explorer
‎01-06-2017 04:57 PM

Check out the new "makeresults" command

Reply
Solved! Jump to solution

greich
Communicator
‎07-18-2017 04:51 PM

while the accepted answer above works, it is a trick. the search command makeresults is the correct answer
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎05-08-2012 07:06 AM

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t
Reply
Solved! Jump to solution

Marinus
Communicator
‎05-10-2012 11:27 AM

creative, I think I'm going to hack together a quick script.

0 Karma
Reply
Solved! Jump to solution

hegleg
Engager
‎06-23-2016 06:02 AM

Since 6.3.0 you can use

| makeresults

link text

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...