I am trying to run EventGen's tutorial 1 on a Windows host. Generated data is not going to my test index. I have tried modifying the .conf file to:
[search2.csv]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
#backfillSearch = index=main sourcetype=splunkd
backfillSearch = index=cust1_index sourcetype=eventgen
index = cust1_index
sourcetype = eventgen
#outputMode = stdout
#outputMode = splunkstream
outputMode = modinput
splunkHost = localhost
splunkUser = admin
splunkPass =
When I look at eventgen.log after a reboot all I see is:
2016-09-30 12:26:36,206 INFO module='config' sample='null': Running as Splunk embedded
2016-09-30 12:26:36,503 INFO module='config' sample='null': Retrieving eventgen configurations from /configs/eventgen
When I search _internal for "eventgen" I see the event "Starting EventGen", followed by a series of GET and POST statements.
But no data is going to the index cust1_index.
The eventgen.conf file is the conf file that tells the Eventgen App what to generate. Most TA's come with sample data as well as an eventgen.conf file.
In order for the eventgen.conf file to generate events you would need to download and install the app:
I have already downloaded and installed the "master" branch from GIT as the application "SA-Eventgen" per the tutorial instructions I have been using.