The search is particularly useful because it creates results with a wide variety of data types: timestamps, counts, string data, numerical data, and both single and multi-value fields. With this quick and simple search, I can generate a small number of results in a tabular format. Often times I work with customers who want to render Splunk search results in a table with no drilldown. In some instances, generating a small set of tabular data may prove useful. If you have longer term need of the data, you could even write it to an index/summary index. Generating a large number of discreet events can be achieved quickly by playing with the start and increment arguments to the gentimes command. This search can easily be modified to create any number of fields by adding additional eval statements. Various forms of this command can be used to create visualizations that mimic a data source that a customer uses (or plans on using) but cannot provide. The chart command simply outputs my fictitious data into a tabular format that can be used to render visualizations via Splunk’s easy-to-use visualization tools.Įxecuting the search above lets you quickly generate charts like the one in the screenshot below that can be used for tasks such as modifying simple XML to specify color settings. For these first two eval commands, I used the random function with the % argument to return a random number between 0 and the I specified. The search exports the output of the gentimes command (hourly timestamps) into a series of two eval commands that are simply creating two fictitious fields and values to associate with each timestamp that I generated. The net effect is to create 1-hour timestamps up until the current date/time. In this example, I’ve added the increment argument to further specify the interval for each timestamp (“ 1h” or hourly in this case). The gentimes command on its own creates a series of timestamps beginning with the date specified in the start argument. | gentimes start= increment=1h | eval myValue=random()%500| eval myOtherValue=random()%300 | eval starttime=strftime(starttime, "%m-%d-%Y %H:%M:%S") | chart max(myValue) AS myValue max(myOtherValue) as myOtherValue over starttime This search uses a combination of the gentimes, eval, and chart commands to produce a visual output that can be added to a dashboard prototype. The associated search for this example enabled me to quickly generate a few days of hourly data points that I could use to iteratively tweak the colors and chart format for the customer to review. If you’ve worked with Splunk for very long, you quickly realize that users can be VERY particular about the format and appearance of visualizations. Generating Time-series Data for Sample Visualizations While there are many methods for obtaining sample data for your Splunk needs, in this article I will focus on two methods for creating sample Splunk data sets that do not require any indexing. Perhaps you need to create a visualization to use for a proof of concept perhaps you are trying to master a specific search or visualization or perhaps you quickly need a few pieces of data for demonstrating a feature to a colleague.Īs a Splunk Solution Architect and Consulting Engineer at GTRI, I often make use of synthesized data for all of these reasons and many more. As you continue to work with Splunk and the number of underlying use cases within your organization grows, you will ultimately encounter a situation where you need to generate some “fake” data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |