This search can easily be modified to create any number of fields by adding additional eval statements.
Various forms of this command can be used to create visualizations that mimic a data source that a customer uses (or plans on using) but cannot provide. The chart command simply outputs my fictitious data into a tabular format that can be used to render visualizations via Splunk’s easy-to-use visualization tools.Įxecuting the search above lets you quickly generate charts like the one in the screenshot below that can be used for tasks such as modifying simple XML to specify color settings. For these first two eval commands, I used the random function with the % argument to return a random number between 0 and the I specified.
Splunk join to database series#
The search exports the output of the gentimes command (hourly timestamps) into a series of two eval commands that are simply creating two fictitious fields and values to associate with each timestamp that I generated. The net effect is to create 1-hour timestamps up until the current date/time. In this example, I’ve added the increment argument to further specify the interval for each timestamp (“ 1h” or hourly in this case). The gentimes command on its own creates a series of timestamps beginning with the date specified in the start argument. | gentimes start= increment=1h | eval myValue=random()%500| eval myOtherValue=random()%300 | eval starttime=strftime(starttime, "%m-%d-%Y %H:%M:%S") | chart max(myValue) AS myValue max(myOtherValue) as myOtherValue over starttime This search uses a combination of the gentimes, eval, and chart commands to produce a visual output that can be added to a dashboard prototype. The associated search for this example enabled me to quickly generate a few days of hourly data points that I could use to iteratively tweak the colors and chart format for the customer to review. If you’ve worked with Splunk for very long, you quickly realize that users can be VERY particular about the format and appearance of visualizations. Generating Time-series Data for Sample Visualizations
While there are many methods for obtaining sample data for your Splunk needs, in this article I will focus on two methods for creating sample Splunk data sets that do not require any indexing. Perhaps you need to create a visualization to use for a proof of concept perhaps you are trying to master a specific search or visualization or perhaps you quickly need a few pieces of data for demonstrating a feature to a colleague.Īs a Splunk Solution Architect and Consulting Engineer at GTRI, I often make use of synthesized data for all of these reasons and many more. As you continue to work with Splunk and the number of underlying use cases within your organization grows, you will ultimately encounter a situation where you need to generate some “fake” data.
0 kommentar(er)
