If you’re been reading this blog for awhile, you’ll know that I’m a big fan of Splunk, and I even went so far as to Dockerize it for use in a lab/testing environment.
Well today I want to talk about a command in Splunk which I believe is seriously underrated: makeresults
.
Makeresults (documented here) lets you generate fake events for testing purposes. No indexes are queried, no disks are touched, which means that makes results is very very fast. And when a query runs quickly, that means you can run it more times which means new queries and content will be developed faster.
In this post, I’m going to walk you through a way to use makeresults to learn the difference between the streamstats and eventstats commands.
To get started, either log into your instance of Splunk or spin up an instance of Splunk Lab in Docker by typing:
bash <(curl -Ls https://bit.ly/splunklab)
Once you’re in Splunk create 5 sample events:
| makeresults count=5
Okay, that’s cool–we have 5 events that just have timestamps, but can’t we add more? This is Splunk, which means that we can do tons of things with our data.
Let’s start by increasing the number of rows, and adding in some random data
| makeresults count=100
| eval newval=(random() % 100) + 1
| streamstats count as event_num
| eval _time=_time - 100 + event_num
We got more going on here, an eval which creates a field called newval with a random value between 1 and 100, and another eval which sets the timestamp sometime in the past 100 seconds. But the most interesting part is the addition of streamstats. Just be looking at the results, we can see that streamstats runs that stats command on the stream for each event as it comes in and basically gives us a counter. That fields (event_num) then goes on to be used by the following eval command. Neat!
So now lets do a little more with streamstats and its cousin eventstats:
| makeresults count=100
| eval newval=(random() % 100) + 1
| streamstats count as event_num
| eval _time=_time - 100 + event_num
| streamstats avg(newval) as avgstreamsum
| eventstats avg(newval) as avgeventsum
| eval diff=abs(avgeventsum - avgstreamsum)
We have 3 commands here. The first is another call to streamstats, which creates the running average of newval as of each event. The second function is eventstats, which takes the logic behind streamstats and turns it on its side–the average of newval will be computed across all events but the computed value will be added to each event as a new field! Finally, the last eval computes the difference between the two.
Last Splunk query, goooo!
| makeresults count=100
| eval newval=(random() % 100) + 1
| streamstats count as event_num
| eval _time=_time - 100 + event_num
| streamstats avg(newval) as avgstreamsum
| eventstats avg(newval) as avgeventsum
| eval diff=abs(avgeventsum - avgstreamsum)
| timechart span=1s avg(avgstreamsum) as avg_stream_sum avg(diff) as diff avg(avgeventsum) as avgeventsum
Now we have a nice timechart that shows the average of that field over the entire set of events, which is a flat line. Next we have the average of our field as of each event, and you can see it is all over the place early on, and eventually closes in on average. Finally, we have a diff which shows us the difference between those two averages as of each event.
That’s all I have for this post–I just wanted to show a quick and simple use of makeresults, as it’s been one of my favorite commands for quite some time. And if you wanted to learn more about Splunk Lab, you can visit the project page on GitHub: https://github.com/dmuth/splunk-lab