Sometimes you will have the need to generate some random variables within Splunk searches. This can be very useful if you need to test your searches, particularly those with complex calculations and conditional logic. Splunk’s SPL enables any user to do this via the random() command.

This command will generate an integer that lies between 0 and 2147483647.

For example if we run the following search:

| makeresults count=10000
| eval random_value = random()

We get (10000) random values that look like this:

However, the range and precision of the values that you are interested in may not correspond to this. For example, values representing temperature (in Celsius say) can be negative and do not have to be integers. Values representing percentages will lie between 0 and 100 and also don’t have to be integers.

It is possible to generate values that represent such quantities by scaling/resizing the values that are generated by random().

In the example of percentages, we, first of all, want to generate values that lie between 0 and 1. We can do this by running the following search:

| makeresults count=10000
| eval random_value = random()
| eval precision = 100000
| eval random_value_between_0_and_1 = (random()%precision)/precision

Here we are using the ‘precision’ field to determine how many decimal places our random variables can possibly take. In this case, 100000 will produce random variables with 5 digits after the decimal point. The % (modulo) operator returns the remainder when random() is divided by precision. If, say, the initial random variable was 1552351234 then 1552351234%100000 would give 51234 and then 51234/100000 would give 0.51234.

Running the above search gives us the following:

To obtain percentage values we can then simply multiply by 100:

| makeresults count=10000
| eval random_value = random()
| eval precision = 100000
| eval random_value_between_0_and_100 = (random()%precision)/precision*100

If we plot the distribution of values, we can see that we do in fact have a uniform distribution of values from 0 to 100.

If we want negative values to be allowed (like in the case of temperature) then we can introduce a min_value field and apply this to our calculation. The search then becomes:

| makeresults count=10000
| eval random_value = random()
| eval precision = 100000
| eval min_value = -50
| eval random_value_between_0_and_100 = (random()%precision)/precision*100+min_value

Which gives us values like those shown below (note the presence of negative values):

Whilst it is unlikely you will want your final searches to contain values being generated randomly, you may wish to use random values in order to test the various paths that a set of calculations can go down. By judicious use of the random() function, this can be achieved very easily.


For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Andrew MacLeod

Andrew is a certified Splunk Admin and has worked for iDelta for over two years. Previously, he worked as an actuarial analyst in the life and pensions industry - a role that he was in for over 7 years before deciding to embark on a career change into the IT industry. He holds an MPhys degree in theoretical physics from the University of Edinburgh. Outside of work he is a big puzzle fan, with a particular penchant for things cruciverbal and mathematical.