Splunk Search

How to create multiple events with different values using makeresults

djoobbani
Path Finder

Hi there:

I have the following makeresults query:


| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| eval time_1="2023-11-09T21:33:05Z"
| eval time_2="2023-11-09T21:40:05Z"

So i want to create three different events where the values for time_1 & time_2 are different for each event.
How can i do that?

Thanks!

Labels (2)
0 Karma
1 Solution

tscroggins
Influencer

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

View solution in original post

tscroggins
Influencer

Hi @djoobbani,

I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:

| makeresults
| eval source="abc"
| eval msg="consumed"
| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")
| mvexpand time_pairs
| eval time_pairs=split(time_pairs, ",")
| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)
| fields - time_pairs

 You can also use streamstats count combined with eval case:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| streamstats count
| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")
| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")
| fields - count

 These are just two examples. You can be as creative as needed.

djoobbani
Path Finder

Thank you, how would i be able to reduce the result by only displaying the row with the earliest time (time_1 field)?

Thanks!

0 Karma

tscroggins
Influencer

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

djoobbani
Path Finder

Thank you very much for the solution!

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...