Eventgen not taking my txt file from sample directory

Nith — Fri, 30 Oct 2020 16:34:45 GMT

Hi Everyone,

I've added a txt file to SA-Eventgen sample folder and wrote the configuration in the eventgen.conf file as follows.

[mihealth-https_error]
mode = sample
interval = 15
earliest = -15s
latest = now
count = 25
hourOfdayRate = { "0": 0.8, "1": 1.0: "2": 0.9, "3":0.7, "4":0.7, "5":0.7, "6":0.7, "7":0.7, "8":0.7, "9":0.7, "10":0.7, "11":0.7, "12":0.7, "13":0.7, "14":0.7, "15":0.7, "16":0.7, "17":0.7, "18":0.7, "19":0.7, "20":0.7, "21":0.7, "22":0.7, "23":0.7 }
dayOfWeekRate = { "0": 0.7, "1": 0.7, "2": 0.7, "3": 0.6, "4": 0.8, "5": 1.0, "6": 0.9 }
randomizeCount = 0.2
randomizeEvents = true
outputMode = modinput
sourcetype = eventgen_test3
source = eventgendemo3
index = eventgen
token.0.token = \[(\w+\s\w+\s\d+\s\d+:\d+:\d+.\d+\s\d+)\]
token.0.replacementType = timestamp
token.0.replacement = %a %b %d %H:%M:%S.%6N %Y
token.1.token = $\w+\s\w+.(\w+).\w+:\d+$
token.1.replacementType = file
token.1.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/orderType.sample

the txt data look like this in the sample folder:

[Thu Jun 04 09:37:31.838874 2020] [ssl:info] [pid 24583] [client 10.10.10.1:39900] NC00000: Connection to child 8 established (server core.Company.com:443)

it is not generating any events, could you please help me?

Thanks in advance

Re: Eventgen not taking my txt file from sample directory

richgalloway — Fri, 30 Oct 2020 18:01:19 GMT

Dumb question: did you restart Splunk after changing eventgen.conf?

Re: Eventgen not taking my txt file from sample directory

Nith — Sat, 31 Oct 2020 11:48:32 GMT

yes several times, and checked the enabled status also the sharing is Global

topic Re: Eventgen not taking my txt file from sample directory in Splunk Enterprise Security

Eventgen not taking my txt file from sample directory

Re: Eventgen not taking my txt file from sample directory

Re: Eventgen not taking my txt file from sample directory