<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: eventgen and outputMode = s2s not working in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/563981#M100449</link>
    <description>&lt;P&gt;Thanks for the suggestion but this hasn't worked.&lt;/P&gt;&lt;P&gt;The error is identical after installing and running the file through dos2unix.&lt;/P&gt;&lt;P&gt;The file was created in vi so I kind of doubted this was the problem.&lt;/P&gt;</description>
    <pubDate>Thu, 19 Aug 2021 17:15:59 GMT</pubDate>
    <dc:creator>philwild</dc:creator>
    <dc:date>2021-08-19T17:15:59Z</dc:date>
    <item>
      <title>eventgen and outputMode = s2s not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/561222#M92712</link>
      <description>&lt;P&gt;Hi!&lt;/P&gt;&lt;P&gt;I'm having a real issue trying to get eventgen working.&lt;/P&gt;&lt;P&gt;I'm trying to use the outputMode = s2s but it is bombing out with the below.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="c"&gt;2021-07-28 15:06:42 eventgen        ERROR    MainProcess 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/eventgen_core.py", line 304, in _worker_do_work
    item.run()
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/outputplugin.py", line 39, in run
    self.flush(self.events)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 204, in flush
    m["_time"],
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 173, in send_event
    e = self._encode_event(index, host, source, sourcetype, _raw, _time)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 124, in _encode_event
    encoded_raw = self._encode_key_value("_raw", _raw)
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 78, in _encode_key_value
    return "%s%s" % (self._encode_string(key), self._encode_string(value))
  File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 69, in _encode_string
    "utf-8"
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;My eventgen.conf file looks like this:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[cisco_asa.sample]
mode = replay
count = -1
timeMultiple = 1
sampletype = raw
# outputMode = tcpout
outputMode = s2s
splunkHost = splunk_search
splunkPort = 9997
source = udp:514
host = boundary-fw1
index = main
sourcetype = cisco:asa
# tcpDestinationHost = splunk_uf1
# tcpDestinationPort = 3333
token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.0.replacementType = replaytimestamp
token.0.replacement = %b %d %H:%M:%S&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It works fine with tcpout (the commented out bits above) but not as s2s.&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm executing eventgen like this&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;/usr/bin/python3.7 /usr/bin/splunk_eventgen -v generate /opt/splunk-eventgen/default/eventgen.conf&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;The reason I'm using s2s is I'd like to generate sample data as if it's coming from many hosts, sources and sourcetypes and I can't do that if I'm using tcpout.&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;In the above config, splunk_search is a standalone test splunk install. Sending directly to this splunk host via s2s fails.&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;If I switch back to tcpout, then I'm sending to a Splunk UF with a tcpinput configured which is then sending to splunk_search via tcp/9997&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;eventgen was installed and configured as per&amp;nbsp;&lt;A href="http://splunk.github.io/eventgen/SETUP.html#install" target="_blank" rel="noopener"&gt;http://splunk.github.io/eventgen/SETUP.html#install&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;Any suggestions?&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 28 Jul 2021 15:37:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/561222#M92712</guid>
      <dc:creator>philwild</dc:creator>
      <dc:date>2021-07-28T15:37:42Z</dc:date>
    </item>
    <item>
      <title>Re: eventgen and outputMode = s2s not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/561971#M100093</link>
      <description>&lt;P&gt;That error means you have a character in eventgen.conf that can't be decoded. That's usually a copy/paste problem from Windows/web to linux.&lt;/P&gt;&lt;P&gt;Running dos2unix against the file will usually fix that. yum install -y dos2unix (if you don't have it).&lt;/P&gt;&lt;P&gt;Example:&lt;BR /&gt;[root@:~]$ dos2unix /tmp/eventgen.conf&lt;BR /&gt;dos2unix: converting file /tmp/eventgen.conf to Unix format...&lt;BR /&gt;[root@:~]$&lt;/P&gt;</description>
      <pubDate>Tue, 03 Aug 2021 21:31:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/561971#M100093</guid>
      <dc:creator>codebuilder</dc:creator>
      <dc:date>2021-08-03T21:31:22Z</dc:date>
    </item>
    <item>
      <title>Re: eventgen and outputMode = s2s not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/563981#M100449</link>
      <description>&lt;P&gt;Thanks for the suggestion but this hasn't worked.&lt;/P&gt;&lt;P&gt;The error is identical after installing and running the file through dos2unix.&lt;/P&gt;&lt;P&gt;The file was created in vi so I kind of doubted this was the problem.&lt;/P&gt;</description>
      <pubDate>Thu, 19 Aug 2021 17:15:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/eventgen-and-outputMode-s2s-not-working/m-p/563981#M100449</guid>
      <dc:creator>philwild</dc:creator>
      <dc:date>2021-08-19T17:15:59Z</dc:date>
    </item>
  </channel>
</rss>

