https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486170#M193663 <P><STRONG>TLDR</STRONG>:<BR /> You can not force it to use the updated replacement file.</P> <P><STRONG>Long answer</STRONG>:<BR /> EventGen is designed for large data volume generation. So EventGen will read the replacement file once and cache it for event token replacement. Think if when you generate every event, you read from file and replace it with a random value from the file, it will have unacceptable I/O latency.</P> <P>If you think it is critical for your requirement, you can make a feature request here: <A href="https://github.com/splunk/eventgen/issues/new/choose">https://github.com/splunk/eventgen/issues/new/choose</A></P> <P>Thanks for your feedback.</P> Thu, 26 Sep 2019 02:40:50 GMT lwu_splunk 2019-09-26T02:40:50Z https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486169#M193662 <P>I am using eventgen to generate transaction type data, where I create an event in Splunk and then at some point in the future, I create a new event to revoke the initial event. It works like this</P> <OL> <LI>my first event is using a guid in the event</LI> <LI>a saved search runs periodically and searches for a select set of these events and writes the guids to an outputlookup</LI> <LI>this csv is then used by another eventgen sample to create the second revocation transaction</LI> </OL> <P>However, it seems that as eventgen randomises the replacement file at startup, when the saved search rewrites the outputlookup, eventgen is not aware of that change, so will continue to use the file. This means that the same guid can be potentially reused in (2) and new guids created in (1) are not candidates.</P> <P>I can see this in the log file</P> <P>Normalized replacement file /opt/splunk/etc/apps/app/lookups/guids.csv</P> <P>is there a way to force this to refresh?</P> Wed, 25 Sep 2019 23:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486169#M193662 bowesmana 2019-09-25T23:33:56Z https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486170#M193663 <P><STRONG>TLDR</STRONG>:<BR /> You can not force it to use the updated replacement file.</P> <P><STRONG>Long answer</STRONG>:<BR /> EventGen is designed for large data volume generation. So EventGen will read the replacement file once and cache it for event token replacement. Think if when you generate every event, you read from file and replace it with a random value from the file, it will have unacceptable I/O latency.</P> <P>If you think it is critical for your requirement, you can make a feature request here: <A href="https://github.com/splunk/eventgen/issues/new/choose">https://github.com/splunk/eventgen/issues/new/choose</A></P> <P>Thanks for your feedback.</P> Thu, 26 Sep 2019 02:40:50 GMT https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486170#M193663 lwu_splunk 2019-09-26T02:40:50Z https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486171#M193664 <P>Thanks. That's as I suspected, so no big deal. I am shutting down my instance daily for the night and I don't need nightly data, so I have saved searches that will update the file before shutdown, so will be in place for the next restart.</P> Thu, 26 Sep 2019 07:17:55 GMT https://community.splunk.com/t5/Splunk-Search/Forcing-eventgen-to-refresh-normalised-replacement-files/m-p/486171#M193664 bowesmana 2019-09-26T07:17:55Z