Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF



Generates the specified number of search results.

If you do not specify any of the optional arguments, this command runs on the local machine and generates one result with only the _time field.


| makeresults [<count>] [<annotate>] [<splunk-server>] [<splunk-server-group>...]

Required arguments


Optional arguments

Syntax: count=<num>
Description: The number of results to generate. If you do not specify the annotate argument, the results have only the _time field.
Default: 1
Syntax: annotate=<bool>
Description: If annotate=true, generates results with the fields shown in the table below.
If annotate=false, generates results with only the _time field.
Default: false
Fields generated with annotate=true
Field Value
_raw None.
_time Date and time that you run the makeresults command.
host None.
source None.
sourcetype None.
splunk_server The name of the server that the makeresults command is run on.
splunk_server_group None.
You can use these fields to compute aggregate statistics.
Syntax: splunk_server=<string>
Description: Use to generate results on one specific server. Use 'local' to refer to the search head.
Default: local. See the Usage section.
Syntax: (splunk_server_group=<string>)...
Description: Use to generate results on a specific server group or groups. You can specify more than one <splunk_server_group>.
Default: none. See the Usage section.


The makeresults command is a report-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

You can use this command with the eval command to generate an empty result for the eval command to operate on. See the Examples section.

Order-sensitive processors might fail if the internal _time field is absent.

Specifying server and server groups

If you use Splunk Cloud, omit any server or server group argument.

If you are using Splunk Enterprise, by default results are generated only on the originating search head, which is equivalent to specifying splunk_server=local. If you provide a specific splunk_server or splunk_server_group, then the number of results you specify with the count argument are generated on the all servers or server groups that you specify.

If you specify a server, the results are generated for that server, regardless of the server group that the server is associated with.

If you specify a count of 5 and you target 3 servers, then you will generate 15 total results. If annotate=true, the names for each server appear in the splunk_server column. This column will show that each server produced 5 results.


1. Create a result as an input into the eval command

Sometimes you want to use the eval command as the first command in a search. However, the eval command expects events as inputs. You can create a dummy event at the beginning of a search by using the makeresults command. You can then use the eval command in your search.

| makeresults | eval newfield="some value"

The results look something like this:

_time newfield
2020-01-09 14:35:58 some value

2. Determine if the modified time of an event is greater than the relative time

For events with the field scheduled_time that is in Unix Epoch time, determine if the scheduled time is greater than the relative time. The relative time is 1 minute before now. This search uses a subsearch that starts with the makeresults command.

index=_internal sourcetype=scheduler ( scheduled_time > [ makeresults | eval it=relative_time(now(), "-m") | return $it ] )

Extended examples

1. Create daily results for testing

You can use the makeresults command to create a series of results to test your search syntax. For example, the following search creates a set of 5 results:

| makeresults count=5

The results look something like this:

2020-01-09 14:35:58
2020-01-09 14:35:58
2020-01-09 14:35:58
2020-01-09 14:35:58
2020-01-09 14:35:58

Each result has the exact same timestamp which, by itself is not very useful. But with a few simple additions you can create a set of unique dates. Start by adding the streamstats command to count your results:

| makeresults count=5 | streamstats count

The results look something like this:

_time count
2020-01-09 14:35:58 1
2020-01-09 14:35:58 2
2020-01-09 14:35:58 3
2020-01-09 14:35:58 4
2020-01-09 14:35:58 5

You can now use that count to create different dates in the _time field. You'll need to use the eval command.

| makeresults count=5 | streamstats count | eval _time=_time-(count*86400)

The calculation multiplies the value in the count field by the number of seconds in a day. The result is subtracted from the original _time field to get new dates equivalent to 24 hours ago, 48 hours ago, and so forth. The seconds in the date are different because _time is calculated the moment you run the search.

The results look something like this:

_time count
2020-01-08 14:45:24 1
2020-01-07 14:45:24 2
2020-01-06 14:45:24 3
2020-01-05 14:45:24 4
2020-01-04 14:45:24 5

The dates start from the day before the original date, 2020-01-09, and go back 5 days.

Need more than 5 results? Simply change the count value in the makeresults command.

2. Create hourly results for testing

You can create a series of hours instead of a series of days for testing, Use 3600, the number of seconds in a day, instead of 86400 in the eval command.

| makeresults count=5 | streamstats count | eval _time=_time-(count*3600)

The results look something like this:

_time count
2020-01-09 15:35:14 1
2020-01-09 14:35:14 2
2020-01-09 13:35:14 3
2020-01-09 12:35:14 4
2020-01-09 11:35:14 5

Notice that the hours in the timestamp are 1 hour apart.

3. Add a field with string values

You can specify a list of values for a field. But to have the values appear in separate results, you need to make the list a multivalue field and then expand that multivalued list into separate results. Use this search, substituting your strings for buttercup and her friends:

| makeresults | eval test="buttercup rarity tenderhoof dash mcintosh fleetfoot mistmane" | makemv delim=" " test | mvexpand test

The results look something like this:

_time test
2020-01-09 16:35:14 buttercup
2020-01-09 16:35:14 rarity
2020-01-09 16:35:14 tenderhoof
2020-01-09 16:35:14 dash
2020-01-09 16:35:14 mcintosh
2020-01-09 16:35:14 fleetfoot
2020-01-09 16:35:14 mistmane

4. Add a field with a set of random numbers

If you need to test something with a set of numbers, you have 2 options.

  • You can add a field with a set of numbers that you specify. This is similar to adding a field with a set of string values, which is shown the previous example.
  • You can add a field with a set of randomly generated numbers by using the random function, as shown below:

| makeresults count=5 | streamstats count | eval test=random()/random()

The results look something like this:

_time count test
2020-01-08 14:45:24 1 5.371091109260495
2020-01-07 14:45:24 2 0.4563314783228324
2020-01-06 14:45:24 3 0.804991002129475
2020-01-05 14:45:24 4 1.4946919835236068
2020-01-04 14:45:24 5 24.193952675772845

Use the round function to round the numbers up. For example, this search rounds the numbers up to 4 digits to the right of the decimal:

...| eval test=round(random()/random(),4)

The results look something like this:

_time count test
2020-01-08 14:45:24 1 5.3711
2020-01-07 14:45:24 2 0.4563
2020-01-06 14:45:24 3 0.8050
2020-01-05 14:45:24 4 1.4947
2020-01-04 14:45:24 5 24.1940

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the makeresults command.


This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1


Heads up - in Splunk Enteprise 6.5, if you're using "makeresults" and you click the "learn more" link for make results, it drops you at the Admin Manual homepage. It should instead send them to this docs page.

November 1, 2016

Woodcock - I have added gentimes to the See also section. I did not add makeresults, as that would create a circular link.

Lstewart splunk, Splunker
July 19, 2016

This should reference "makeresults" in the "see also" section.

July 18, 2016

This should reference "gentimes" in the "see also" section.

July 18, 2016

Woodcock and Mueller - I updated the examples based on your comments and input from one of our lead engineers (CPride).

Lstewart splunk, Splunker
December 15, 2015

Your first example is missing a leading pipe ("|") character.

December 5, 2015

If someone confuses the greater than for an output redirect, switching to less than will make them confuse it for an input redirect.

Besides, use _index_earliest=-m instead ;p

Martin mueller
December 5, 2015

The last example makes it appear that the greater-than sign is a piping character I would use parentheses and switch to lesser-than to avoid this confusion:

index=_internal (_indextime < [makeresults | eval it=now()-60 | return $it])

December 4, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters