Generating identical events with the same timestamp

The following example generates 5 identical events, each with the same timestamp:

| makeresults 5

The results look something like this:

Generally, events with identical timestamps isn't very useful. By combining the makeresults command with other commands, as shown in the next example, you can generate events with different timestamps.

Generat a set of events with different timestamps

You can use the makeresults command to create a series of events. This is most often used to test your search syntax. Start by creating the number of events and add the streamstats command create a field that assigns a number to each event. The following search creates a set of five results:

| makeresults count=5 
| streamstats count

The results look something like this:

You can now use the count to create different dates in the _time field, using the eval command.

| makeresults count=5 
| streamstats count
| eval _time=_time-(count*86400)

The calculation multiplies the value in the count field by the number of seconds in a day. The result is subtracted from the original _time field to get new dates equivalent to 24 hours ago, 48 hours ago, and so forth. The seconds in the date are different because _time is calculated the moment you run the search.

The results look something like this:

The dates start from the day before the original date, 2025-11-09, and go back five days.

Need more than 5 results? Simply change the count value in the makeresults command.

See also