Comments

4 comments

Sort by Date Votes
  • Official comment
    Avatar
    Ryan Johnson

    Hi Utsav,

    One way you can do this is to overwrite the _raw value with a string that you can specify.

    * 
    | limit 1
    | "Vegemite is better than Marmite" as _raw

    This would overwrite the original value with the double-quoted text you specify.

    Another way to do this would be to take advantage of the event-duplication behaviour of parse regex multi as follows:

    *
    | limit 1
    | "Apple Banana Carrot Doughnut Easter" as _raw
    | parse regex "(?<_raw>\w+)" multi

    Which would give you 5 "events" each with a unique value for the record.

    It's important to note that your environment must have at least 1 event in the timeframe you have specified for this to work (however you can use internal audit records in this way as well).

    I hope this helps :-)

    Comment actions Permalink
  • Avatar
    Utsav Patel

    Thanks Ryan,

    The query provided by you works but it is run time right? it will not ingest data in any of the sourceCatergoty or collector. What if I want to add some dummy data into my sourceCatergoty via a query?

    0
    Comment actions Permalink
  • Avatar
    Ryan Johnson

    That's correct - the operation is run time only and does not ingest any data. If you require "dummy" data to be ingested, I'd suggest using the Collection > Setup Wizard > Upload Data facility. I'd recommend using a unique Source Category value for this data (e.g. "dummy/app1") to ensure the data you upload does not unintentionally match any saved searches by other users in your environment.

    1
    Comment actions Permalink
  • Avatar
    Utsav Patel

    So I just want to confirm there is no such option to add test data via query till date right?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post