Splunk Search

How do you add dummy events to a search result?

Marinus
Communicator

I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way?

* | table name phone

Let's assume I need to add another name?

* | dummy_event name=bob, phone=555-1234 |table name phone
Tags (2)
1 Solution

ziegfried
Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

View solution in original post

bbialek
Path Finder

Here is something that can help you... First, generate dummy columns and single row of results:

 index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2
┌──────┬──────┐
│ col1 │ col2 │
├──────┼──────┤
│ beep │ boop │
└──────┴──────┘

Append data from another dummy search:

index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ]
┌─────────┬───────┐
│  col1   │ col2  │
├─────────┼───────┤
│ beep    │ boop  │
│ science │ magic │
└─────────┴───────┘

greich
Communicator

as mentioned above, the correct answer is the markresults command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

rstitt
Explorer

Check out the new "makeresults" command

greich
Communicator

while the accepted answer above works, it is a trick. the search command makeresults is the correct answer
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

ziegfried
Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

Marinus
Communicator

creative, I think I'm going to hack together a quick script.

0 Karma

hegleg
Engager

Since 6.3.0 you can use

| makeresults

link text

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...