You can then use the eval command in your search. You can create a dummy event at the beginning of a search by using the makeresults command. However, the eval command expects events as inputs. Sometimes you want to use the eval command as the first command in a search. Create a result as an input into the eval command If makeresults cannot parse the data for the specified format, it returns an error.īasic examples 1. Inline datasets cannot exceed a threshold of 30,000 characters. Here is an example of CSV-formatted data: Use newlines to indicate the end of one event and the beginning of another. Each line following the schema line contains comma-separated field values, and each of these subsequent lines is translated by makeresults into an individual event. The schema ends when a newline character is reached. This first line consists of a comma-separated list of strings, and each string corresponds to a field name. The first line contains the schema, or headers, for the CSV table. Inline data in CSV format consists of a set of lines. Here is an example of JSON formatted data: The entire JSON array must be placed within single quotation marks ( ' ). Each key must be bracketed in escape quotes. The keys of that object become fields, and the object values become field values. makeresults generates a separate event for each JSON object. Inline JSON data must be provided as a series of JSON objects, all within a single JSON array. Use the format and data arguments in conjunction to generate events from CSV- or JSON-formatted data. Generating results from inline CSV- or JSON-formatted data This column will show that each server produced 5 results. If annotate=true, the names for each server appear in the splunk_server column. If you specify a count of 5 and you target 3 servers, then you will generate 15 total results. If you specify a server, the results are generated for that server, regardless of the server group that the server is associated with. If you provide a specific splunk_server or splunk_server_group, then the number of results you specify with the count argument are generated on the all servers or server groups that you specify. If you are using Splunk Enterprise, by default results are generated only on the originating search head, which is equivalent to specifying splunk_server=local. If you use Splunk Cloud Platform, omit any server or server group argument. Order-sensitive processors might fail if the internal _time field is absent. You can use this command with the eval command to generate an empty result for the eval command to operate on. The search results created by the makeresults command are created in temporary memory and are not saved to disk or indexed. Generating commands use a leading pipe character and should be the first command in a search. The makeresults command is a report-generating command. If you provide a data argument, makeresults expects this data to follow the format specified by a corresponding format argument. data Syntax: data= Description: A collection of inline data that makeresults converts into events. If you provide a format argument, makeresults expects a corresponding data argument with inline data that fits the specified format. Syntax: csv | json Description: Specifies the format of the inline data supplied by the data argument. If you specify these arguments, makeresults ignores other arguments such as count or annotate. You can use the format and data arguments to convert CSV- or JSON-formatted data into Splunk events. Description: Use to generate results on a specific server group or groups. splunk-server-group Syntax: (splunk_server_group=). splunk-server Syntax: splunk_server= Description: Use to generate results on one specific server. You can use these fields to compute aggregate statistics. The name of the server that the makeresults command is run on. Default: false Fields generated with annotate=true Fieldĭate and time that you run the makeresults command. If annotate=false, generates results with only the _time field. Default: 1 annotate Syntax: annotate= Description: If annotate=true, generates results with the fields shown in the table below. If you do not specify the annotate argument, the results have only the _time field. Optional arguments count Syntax: count= Description: The number of results to generate. If you do not specify any of the optional arguments, this command runs on the local machine and generates one result with only the _time field. Generates the specified number of search results in temporary memory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |