name	ds-mock
description	[PIPELINE] Generate makeresults-based synthetic data for dashboards without real data. For viz packs, prefer CSV lookups (see vp-create) over makeresults — they produce more realistic, stable demo data.

ds-mock — Synthetic data generator

When to use

When requirements.md reports Has data: no (or partial and the user wants mock for the missing questions), or when the user explicitly asks to mock data.

Prerequisites

Workspace exists at ./.splunk-dashboards/<project>/state.json.
current_stage is scoped.
requirements.md lists 1–5 questions.

If the workspace does not exist, run ds-init first.

What it does

Reads the dashboard questions from requirements.md.
For each question, drafts a makeresults-based SPL snippet that produces plausible synthetic events.
Assembles a JSON payload with one entry per question.
Invokes the data_sources write CLI to persist data-sources.json and advance state to data-ready.

Pattern library

Compose mock SPL from these building blocks. Pick patterns based on the question type.

Categorical field (fixed vocabulary)

| makeresults count=100
| eval user=mvindex(split("alice,bob,carol,dave,erin",","), random()%5)
| eval action=mvindex(split("success,failure,timeout",","), random()%3)

Numeric distribution (counts, latencies)

| makeresults count=200
| eval latency_ms=round(10 + random()%500, 0)
| eval bytes=round(1024 + random()%(1024*1024), 0)

Timestamps over a window (for trends / time charts)

| makeresults count=500
| eval _time=now()-round(random()%(24*3600), 0)

IP addresses (for network-ish data)

| makeresults count=150
| eval src="10.0.0.".(random()%254+1)
| eval dest="192.168.1.".(random()%254+1)

Top-N friendly shape

After generating events, aggregate — this produces realistic leaderboards:

| makeresults count=500
| eval src=mvindex(split("10.0.0.1,10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5",","), random()%5)
| stats count by src
| sort -count

How to produce the data-sources.json

For each question in requirements.md, draft an SPL using the patterns above. Favor shapes that naturally answer the question — if the question asks "top sources", end with | stats count by src | sort -count.
Set earliest to -24h and latest to now unless the question implies a different window.
Give each source a short name (human-readable label shown in the dashboard UI later).
Assemble this JSON payload and write it via the CLI:

PYTHONPATH=<repo-root>/plugins/splunk-dashboards/src \
python3 -m splunk_dashboards.data_sources write - <<'JSON'
{
  "project": "<project-name-from-state.json>",
  "source": "mock",
  "sources": [
    {
      "question": "What are the top failed login sources?",
      "spl": "| makeresults count=500\n| eval src=\"10.0.0.\".(random()%254+1)\n| eval action=if(random()%3==0,\"failure\",\"success\")\n| where action=\"failure\"\n| stats count by src\n| sort -count",
      "earliest": "-24h",
      "latest": "now",
      "name": "Failed Logins by Source"
    }
  ]
}
JSON

The CLI:

Validates that the workspace exists.
Writes .splunk-dashboards/<project>/data-sources.json.
Advances state.json from current_stage=scoped to current_stage=data-ready (appending scoped to stages_completed).

Next step

After this skill completes, move to ds-design to wireframe the dashboard layout.

⚠️ MUST LOAD — before drafting any mock SPL

Two skills MUST be consulted for every mock query you write:

spl-gotchas (from splunk-spl plugin) — makeresults patterns, dotted-field quoting, case() default trap, spath output= not as, and 20+ more traps. Catches the silent-fail traps that produce empty panels even when SPL parses cleanly.
ds-pick-viz — confirms the mock data shape will satisfy the viz the user expects. Same per-viz traps apply to mock as to real data: \| geostats for bubble layers, lowercase source / target / value for sankey, \| sort before bar chart binding, full country names for geom geo_countries.

For the ds.test JSON shape (when you want inline columnar data instead of makeresults), see ds-ref-syntax § dataSources.

The most common mock-SPL traps (mirror of ds-data-explore):

splunk.bar / splunk.column — needs \| sort (no auto-sort).
splunk.map bubble layer — requires \| geostats latfield=lat longfield=lon …, NOT \| stats count by lat lon.
splunk.map choropleth — needs \| geom geo_<lookup> featureIdField=<col> and the right key shape (full names vs ISO-2 — see ds-viz-map GOTCHAS).
splunk.sankey — needs lowercase source / target / value field names exactly.
Any sparkline column on splunk.table — must be built with \| stats sparkline(...) by <key>, NOT \| eval x="..." \| makemv.

name	ds-mock
description	[PIPELINE] Generate makeresults-based synthetic data for dashboards without real data. For viz packs, prefer CSV lookups (see vp-create) over makeresults — they produce more realistic, stable demo data.