Splunk Search

How do you add dummy events to a search result?

Communicator

I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way?

* | table name phone

Let's assume I need to add another name?

* | dummy_event name=bob, phone=555-1234 |table name phone
Tags (2)
1 Solution

Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

View solution in original post

Path Finder

Here is something that can help you... First, generate dummy columns and single row of results:

 index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2
┌──────┬──────┐
│ col1 │ col2 │
├──────┼──────┤
│ beep │ boop │
└──────┴──────┘

Append data from another dummy search:

index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ]
┌─────────┬───────┐
│  col1   │ col2  │
├─────────┼───────┤
│ beep    │ boop  │
│ science │ magic │
└─────────┴───────┘

Communicator

as mentioned above, the correct answer is the markresults command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

Explorer

Check out the new "makeresults" command

Communicator

while the accepted answer above works, it is a trick. the search command makeresults is the correct answer
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

View solution in original post

Communicator

creative, I think I'm going to hack together a quick script.

0 Karma

Engager

Since 6.3.0 you can use

| makeresults

link text