Splunk Search

How do you add dummy events to a search result?

Marinus
Communicator

I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way?

* | table name phone

Let's assume I need to add another name?

* | dummy_event name=bob, phone=555-1234 |table name phone
Tags (2)
1 Solution

ziegfried
Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

View solution in original post

bbialek
Path Finder

Here is something that can help you... First, generate dummy columns and single row of results:

 index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2
┌──────┬──────┐
│ col1 │ col2 │
├──────┼──────┤
│ beep │ boop │
└──────┴──────┘

Append data from another dummy search:

index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ]
┌─────────┬───────┐
│  col1   │ col2  │
├─────────┼───────┤
│ beep    │ boop  │
│ science │ magic │
└─────────┴───────┘

greich
Communicator

as mentioned above, the correct answer is the markresults command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

rstitt
Explorer

Check out the new "makeresults" command

greich
Communicator

while the accepted answer above works, it is a trick. the search command makeresults is the correct answer
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

0 Karma

ziegfried
Influencer

There are a few options on how to do this without creating a custom search command:

... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]

or using a csv lookup file

... | outputlookup mydummyresults.csv append=t 

Marinus
Communicator

creative, I think I'm going to hack together a quick script.

0 Karma

hegleg
Engager

Since 6.3.0 you can use

| makeresults

link text

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...