Generates the specified number of search results.
If you do not specify any of the optional arguments, this command runs on the local machine and generates one result with only the
| makeresults [<count>] [<annotate>] [<splunk-server>] [<splunk-server-group>...]
- Syntax: count=<num>
- Description: The number of results to generate. If you do not specify the
annotateargument, the results have only the
- Default: 1
- Syntax: annotate=<bool>
- Description: If
annotate=true, generates results with the fields shown in the table below.
annotate=false, generates results with only the
- Default: false
- Fields generated with annotate=true
Field Value _raw None. _time Date and time that you run the
host None. source None. sourcetype None. splunk_server The name of the server that the
makeresultscommand is run on.
- You can use these fields to compute aggregate statistics.
- Syntax: splunk_server=<string>
- Description: Use to generate results on one specific server. Use 'local' to refer to the search head.
- Default: local. See the Usage section.
- Syntax: (splunk_server_group=<string>)...
- Description: Use to generate results on a specific server group or groups. You can specify more than one
- Default: none. See the Usage section.
Generating commands use a leading pipe character and should be the first command in a search.
You can use this command with the eval command to generate an empty result for the eval command to operate on. See the Examples section.
Order-sensitive processors might fail if the internal _time field is absent.
Specifying server and server groups
If you use Splunk Cloud, omit any server or server group argument.
If you are using Splunk Enterprise, by default results are generated only on the originating search head, which is equivalent to specifying
splunk_server=local. If you provide a specific
splunk_server_group, then the number of results you specify with the
count argument are generated on the all servers or server groups that you specify.
If you specify a server, the results are generated for that server, regardless of the server group that the server is associated with.
If you specify a count of 5 and you target 3 servers, then you will generate 15 total results. If
annotate=true, the names for each server appear in the splunk_server column. This column will show that each server produced 5 results.
1. Create a result as an input into the
Sometimes you want to use the
eval command as the first command in a search. However, the
eval command expects events as inputs. You can create a dummy event at the beginning of a search by using the
makeresults command. You can then use the
eval command in your search.
| makeresults | eval newfield="avalue"
2. Determine if the modified time of an event is greater than the relative time
For events with the field
scheduled_time that is in Unix Epoch time, determine if the scheduled time is greater than the relative time. The relative time is 1 minute before now. This search uses a subsearch that starts with the
index=_internal sourcetype=scheduler ( scheduled_time > [ makeresults | eval it=relative_time(now(), "-m") | return $it ] )
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the makeresults command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.2.6, 7.0.2, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.0.3, 7.0.0