https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440958#M76864 <P>Hi, Please help me out.</P> <P>I try to generate events with replay mode, but it is not working properly. All timestamp is same. Of course original sample file is time series data, which means each event has different timestamp.</P> <P>[sampledata1.log]<BR /> mode = replay<BR /> outputMode = splunkstream<BR /> token.0.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3} token.0.replacementType = timestamp<BR /> token.0.replacement = %m-%d-%Y %H:%M:%S.%f</P> <P>sampledata1.log<BR /> "08-07-2019 22:00:03.595 +0900 INFO loader - Running utility: ""validatedb"""<BR /> "08-07-2019 22:00:04.496 +0900 INFO loader - Getting configuration data from: /home/splunk/etc/myinstall/splunkd.xml"<BR /> "08-07-2019 22:00:05.586 +0900 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to /home/splunk/etc/modules"<BR /> "08-07-2019 22:00:06.596 +0900 INFO loader - loading modules from /home/splunk/etc/modules"<BR /> "08-07-2019 22:00:07.597 +0900 INFO loader - Writing out composite configuration file: /home/splunk/var/run/splunk/composite.xml"<BR /> ................</P> <P>After restart splunk, I could see this view. Generated events have same timestamp.<BR /> <IMG src="https://community.splunk.com/storage/temp/273415-screen-shot-2019-08-09-at-45733-am.png" alt="alt text" /></P> <P>What I have to do? What wrong with this?</P> Wed, 30 Sep 2020 01:41:59 GMT brandy81 2020-09-30T01:41:59Z https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440958#M76864 <P>Hi, Please help me out.</P> <P>I try to generate events with replay mode, but it is not working properly. All timestamp is same. Of course original sample file is time series data, which means each event has different timestamp.</P> <P>[sampledata1.log]<BR /> mode = replay<BR /> outputMode = splunkstream<BR /> token.0.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3} token.0.replacementType = timestamp<BR /> token.0.replacement = %m-%d-%Y %H:%M:%S.%f</P> <P>sampledata1.log<BR /> "08-07-2019 22:00:03.595 +0900 INFO loader - Running utility: ""validatedb"""<BR /> "08-07-2019 22:00:04.496 +0900 INFO loader - Getting configuration data from: /home/splunk/etc/myinstall/splunkd.xml"<BR /> "08-07-2019 22:00:05.586 +0900 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to /home/splunk/etc/modules"<BR /> "08-07-2019 22:00:06.596 +0900 INFO loader - loading modules from /home/splunk/etc/modules"<BR /> "08-07-2019 22:00:07.597 +0900 INFO loader - Writing out composite configuration file: /home/splunk/var/run/splunk/composite.xml"<BR /> ................</P> <P>After restart splunk, I could see this view. Generated events have same timestamp.<BR /> <IMG src="https://community.splunk.com/storage/temp/273415-screen-shot-2019-08-09-at-45733-am.png" alt="alt text" /></P> <P>What I have to do? What wrong with this?</P> Wed, 30 Sep 2020 01:41:59 GMT https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440958#M76864 brandy81 2020-09-30T01:41:59Z https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440959#M76865 <P>It must be extracting timestamp issue. But It's correct! <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> Could anyone please let me know what's wrong?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7487i673C537CC3E68F27/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 09 Aug 2019 03:31:27 GMT https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440959#M76865 brandy81 2019-08-09T03:31:27Z https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440960#M76866 <P>You are using the following line:<BR /> token.0.replacementType = timestamp<BR /> Instead you should use:<BR /> token.0.replacementType = replaytimestamp</P> <P>This should fix your problem.</P> <P>Tip: The replaytimestamp is based on the difference of the timestamps in your sample file. So you might want to increase the difference in your sample.</P> Fri, 09 Aug 2019 13:09:59 GMT https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440960#M76866 dpeukert 2019-08-09T13:09:59Z https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440961#M76867 <P>Thank you for the answer. But I don't understand these combination below:<BR /> 1. mode=reply / token.x.replacementType = replaytimestamp<BR /> 2. mode=reply / token.x.replacementType = timestamp<BR /> 3. mode=sample / token.x.replacementType = replaytimestamp<BR /> 4. mode=sample / token.x.replacementType = timestamp</P> <P>I tested 4 cases and got to know what' differences between them, but, I would like to get to know about each option based on cases. Could anybody please let me know about those cases?</P> Sun, 11 Aug 2019 07:51:30 GMT https://community.splunk.com/t5/Getting-Data-In/Eventgen-Replay-mode-all-same-timestamp/m-p/440961#M76867 brandy81 2019-08-11T07:51:30Z