Skip to content
SPL // Splunk

Using the makeresults Command

KGI Avatar
 

Written by: Brett Woodruff | Last Updated:

 
May 28, 2024
 
Splunk Search Command Of The Week: Makeresults
 
 

Originally Published:

 
December 27, 2023

In the digital age where data is king, the ability to manipulate and understand it can make or break businesses. Imagine possessing the power to generate data out of thin air – a capability that could revolutionize the way you approach analytics and problem-solving. This is where the makeresults Splunk command comes into play. A command that can be a game-changer for data analysts and businesses alike. In a world brimming with data, 90% of which has been generated in the last two years, the ability to swiftly create and manipulate data sets is invaluable. If you’re looking to harness this power within Splunk, you’re in the right place. 

What is the makeresults Command? 

The makeresults command in Splunk is search command that creates a result without needing any events. This command is incredibly useful for Splunk users who need to test searches, dashboards, and alerts. It’s a tool for the crafty data analyst who wants to prototype and experiment within Splunk’s environment without the need for pre-existing data. Transitioning from the basics, let’s delve into how makeresults can significantly benefit your data operations. 

What are the Benefits of makeresults?

The primary advantage of makeresults is its ability to create sample data quickly. It’s a steppingstone to more efficient data analysis within Splunk. 

 

Let’s explore a few specific benefits: 

  • Benefit #1 Accelerated Prototyping:

    The makeresults command allows users to quickly generate sample data sets for testing. With it, the time from concept to prototype is drastically reduced, enhancing productivity. Without this command, users may face delays as they seek or create data, hindering the development process. 

  • Benefit #2 Simplified Troubleshooting:

    A unique advantage of makeresults is its role in simplifying troubleshooting. By creating controlled data scenarios, analysts can isolate variables and identify issues more effectively, a benefit that transcends typical search capabilities. 

  • Benefit #3 Enhance Learning & Training:

    For new Splunk users, makeresults serves as an excellent training tool. It provides a safe environment to learn Splunk’s functionalities without needing access to production data.

Now, let’s look at the various applications of ‘makeresults.’ 

Types of makeresults That Can Be Used

While makeresults may seem straightforward, its applications can be diverse: 

  • Type #1 – Creating sample search output for dashboard testing. 
  • Type #2 – Generating data for alert configuration. 
  • Type #3 – Testing search queries without impacting production data. 
  • Type #4 – Building training materials for Splunk users. 
  • Type #5 – Simulating data streams for testing parsers. 
  • Type #6Demonstrating data concepts in educational settings. 

Let’s move into the practical application of makeresults.

How to Use makeresults

The implementation of makeresults involves several steps: 

 

There are various ways makeresults can be utilized, but one of the most powerful ways is by utilizing the format and data options. These allow you to be able to create your sample data set using a CSV format, producing multiple rows of different as written by the user. To begin, let’s go to Splunk’s Search and Reporting application and in a search window enter: 

				
					| makeresults format=csv data="sample, amount  
Sample 1, .1 
Sample 2, .2 
Sample 3, .225
Sample 4, .4 
Other, .075" 
| dedup sample 
				
			

In the first line, we are invoking the makeresults command and instructing it to use the CSV format option. Then we state the data to be used is contained within the quotes (starting on line 1 and ending at the end of line 6). Following the opening quotation mark on line 1 are the fields being created followed by a “new line” (Shift+Enter). A new line must be started to designate the separation of the field names and the data that will populate the fields. Lines 2-6 are the data that will populate the fields, separated by commas for each row. The final row ends with a closing quotation mark. At the end of the last line of what will be our last row of data (Line 6 in this case), we must have a closing quotation mark to signify the end of the data portion of the query. Line 7 uses the dedup command to remove any duplicate rows that match on the “sample” field as sometimes makeresults will duplicate entries resulting in multiple identical rows. 

 

If we run this query it should result in a table that consists of two columns or fields named “amount” and “sample” and contain 5 rows of data. 

Use Cases for makeresults to Help You Get Started

Incorporating makeresults into real-world scenarios can demonstrate its utility. 

USE CASE #1

Scenario: Dashboard Development.

Tools: Splunk UI, Search & Reporting App.

Step 1: Create sample data. 

Use the makeresults command to create data that will mimic expected data that will be present in a future index or source type using the same fields names and sample data of what that data may look like.

Step 2: Build and test the dashboard. 

Using the results of your query create your dashboard or a singular dashboard visualization as usual and adjust as needed. 

Step 3: Refine and deploy. 

Once the dashboard or visualization is ready for deployment and the data that will dynamically populate it is ingested, you can now replace the part(s) that utilized the makeresults command, with the actual query that will search against your ingested data that the makeresults had previously statically represented.   

 
USE CASE #2 (UNIQUE)

Scenario: Alert Testing

Tools: Splunk Alert Manager, “makeresults” command

 

Step 1: Generate test data. 

Use the makeresults command to create data that will mimic data that is expected to be present in a future index or source type using the same field names and format. Be sure to include test data that will trigger the alert you attempting to test.

Step 2: Configure and test alert. 

Configure your alert as usual but with a relatively short schedule and test to ensure the expected results of the alert are correct. Then modify the makeresults command so that it produces a result in the data no longer meeting the threshold and retest to ensure the alert is not triggered anymore.

Step 3: Adjust configurations based on results. 

Once the alert is ready for deployment and the live data is ingested, you can now replace the part(s) of the search that utilized the makeresults command with the actual query that will search against your ingested data. This will replace the search code that the makeresults had previously statically represented. Once this is complete, go ahead and change the search schedule according to your needs. 

Conclusion

This article has navigated through the essence of makeresults, from its definition to its diverse benefits and applications. We’ve unveiled not only what makeresults is and its primary advantages but also provided a glimpse into its varied types. By following the outlined steps, you can explore the practical use of makeresults and implement the given use cases to master this powerful command within Splunk.

 

For additional information on the makeresults command please refer to Splunk’s Documentation on the subject located at: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults 

Helpful? Don't forget to share this post!
LinkedIn
Reddit
Email
Facebook