Using the Makeresults in Command in Splunk

If you’re been reading this blog for awhile, you’ll know that I’m a big fan of Splunk, and I even went so far as to Dockerize it for use in a lab/testing environment.

CSI: Logfiles

Well today I want to talk about a command in Splunk which I believe is seriously underrated: makeresults.

Makeresults (documented here) lets you generate fake events for testing purposes. No indexes are queried, no disks are touched, which means that makes results is very very fast. And when a query runs quickly, that means you can run it more times which means new queries and content will be developed faster.

In this post, I’m going to walk you through a way to use makeresults to learn the difference between the streamstats and eventstats commands.

Continue reading “Using the Makeresults in Command in Splunk”