topic Re: How to Get Eventgen working? in All Apps and Add-ons

How to Get Eventgen working?

skoelpin — Thu, 21 Dec 2017 19:20:56 GMT

I installed eventgen and watched the tutorial videos. I created a new app, changed the permissions to global, created a sample folder inside the new app, dropped my sample file in /opt/splunk/etc/apps/internal_app/samples, then moved the eventgen.conf.tutorial file to /opt/splunk/etc/apps/internal_app/local, renamed it to eventgen.conf, uncommented out the lines, referenced my sample file in the stanza, and restarted Splunk. After restarting, I see zero data flowing into the main index which is the one I specified in eventgen.conf.

When I do a search on the internal logs, /opt/splunk/var/log/splunk/eventgen.log I can see my data sample along with Splunk saying it backfilled successfully.

I'm stumped as to why this isn't generating data

Here's my eventgen.conf file

[Test_Data.txt]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=eventgen

outputMode = stdout
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme


token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

Here's what I'm seeing in the internal logs

2017-12-21 14:01:38,605 INFO module='Timer' sample='Test_Data.txt': Stopping timer for sample 'Test_Data.txt'
host =  MCxxxxxxxxx source =/opt/splunk/var/log/splunk/eventgen.log sourcetype =eventgen

12/21/17 1:54:11.032 PM 
2017-12-21 13:54:11,032 INFO module='Timer' sample='Test_Data.txt': Backfill complete

Re: How to Get Eventgen working?

mayurr98 — Thu, 21 Dec 2017 19:44:53 GMT

Hey

Use this link

https://youtu.be/9S-ZeGEfRKg

1) download eventgen from https://github.com/splunk/eventgen
2) extract it to etc/apps/SA-Eventgen (yes, it should be named that to eventgen).
3) review Eventgen in Manage Apps, you may want to make it visible.
4) Restart Splunk
eventgen.conf and samples in them that are ready to go

Re: How to Get Eventgen working?

skoelpin — Thu, 21 Dec 2017 19:58:22 GMT

I've watched that video about 4x over now and have an identical setup and it will not generate events!

Re: How to Get Eventgen working?

naidusadanala — Tue, 29 Sep 2020 17:21:19 GMT

Replace [Test_Data.txt] with [Test_Data] , Restart the server.

It should work.

Please let us know

Re: How to Get Eventgen working?

harsmarvania57 — Tue, 29 Sep 2020 17:25:26 GMT

Hi @skoelpin,

I have created sample app with eventgen configuration and it is working fine.

Steps which I have followed
1. Installed eventgen app on splunk.
2. Created new app with name "test_app"
3. Created $SPLUNK_HOME/etc/app/test_app/default/eventgen.conf with below content

[test_data\.txt]
interval = 60
earliest = -60m
latest = now
sourcetype = test_st
source = eventgen
disabled=0
token.0.token = TTTTTTTT
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

Created $SPLUNK_HOME/etc/apps/test_app/samples/test_data.txt file with below content

TTTTTTTT transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

Below content added into $SPLUNK_HOME/etc/apps/test_app/metadata/default.data
```
   [eventgen]
access = read : [ * ], write : [ admin ]
export = system
```

Restarted splunk service
And I can see data in splunk with query index=main sourcetype=test_st and events generated with eventgen are

   2017-12-22 16:19:59,595283 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0
2017-12-22 16:17:11,647706 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

EDIT:

Tried with eventgen.conf which is provided in original question with some modification

[test_data\.txt]
mode = replay
timeMultiple = 2
backfill = -60m
backfillSearch = index=main source=eventgen

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

And $SPLUNK_HOME/etc/apps/test_app/samples/test_data.txt with content

2017-10-14 11:12:13,567 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

This is also backfilling data perfectly fine.

It looks you don't have any data in splunk while running backfill query index=main sourcetype=eventgen that's why eventgen is not backfilling any data.

I hope this helps.

Thanks,
Harshil

Re: How to Get Eventgen working?

skoelpin — Fri, 22 Dec 2017 16:30:52 GMT

Thanks for your detailed response. I copied your directions and have an identical setup to yours and it is still not streaming data in with that sourcetype. Does it take awhile before it starts generating?

Re: How to Get Eventgen working?

harsmarvania57 — Fri, 22 Dec 2017 17:58:04 GMT

It will generate events within 5 minutes after splunk restart. Can you please post some logs from eventgen.log file for test_data.txt file.

Re: How to Get Eventgen working?

Penkov — Wed, 12 Dec 2018 13:17:31 GMT

Hi, harsmarvania57,
Thanks for your detailed response.But i have the same problem like "skoelpin" and i wait maybe 10 or 15 minutes and i don't receive any events from eventgen.

Re: How to Get Eventgen working?

harsmarvania57 — Wed, 12 Dec 2018 13:31:01 GMT

Hi @Penkov,

I am not sure what problem are you facing but you can try Gogen instead of Eventgen https://github.com/coccyx/gogen , this also generate dummy data but I never tried this.

Re: How to Get Eventgen working?

Penkov — Wed, 12 Dec 2018 13:41:15 GMT

Thanks @harsmarvania57 for your answer. My problem is that i can't run eventgen and create any type of event. I try to copied your directions and have an identical setup to yours and it is still not streaming data in with that sourcetype.

Re: How to Get Eventgen working?

harsmarvania57 — Wed, 12 Dec 2018 13:44:21 GMT

Which version of Splunk are you running ? and Is it standalone instance, if not standalone then on which instance you installed eventgen ? It will be good to start new question with required information and refer this question link in your new question.

Re: How to Get Eventgen working?

Ohiotech — Tue, 07 May 2019 17:30:52 GMT

After installing the event gen manually (did not path correctly with directions), I added the SA-Eventgen app through the manage apps\ install from file. The trick for me was to go into the Data Input/SA-Eventgen input and enable it. (disabled during install). Events were there within minutes after a restart.

Re: How to Get Eventgen working?

ian_thomas — Thu, 20 Jun 2019 15:05:50 GMT

This fixed my issue. Thanks!

Re: How to Get Eventgen working?

inventsekar — Mon, 26 Aug 2019 13:40:57 GMT

EventGen is an important tool and at the same time, making it work looks like a very difficult task.
Poor documentation. God please save me.
Adding to the issue, like adding fuel to the fire, that video mentioned was removed.

Re: How to Get Eventgen working?

cboillot — Fri, 30 Aug 2019 19:29:49 GMT

I, too, am not able to get this to work at all.

Re: How to Get Eventgen working?

rsharma4 — Wed, 24 Aug 2022 07:57:08 GMT

eventgen's documentation is pathetic.

Also: gogen examples skip index names from config files - a basic getting started example is all that was needed!

https://github.com/halr9000/gogen-1/blob/master/README/Tutorial.md