All Apps and Add-ons
Highlighted

Eventgen: How can i restrict Eventgen to just index a CSV file once instead of repeating again from line one?

Builder

I was using the sample tutorial 1 as eventgen.conf which is as below :-

[sample_tutorial 1.sample]
mode = replay
sampletype = csv
timeMultiple = 2
#backfill = -15m
#backfillSearch = index=main sourcetype=splunkd


outputMode = stdout
#outputMode = splunkstream
#splunkHost = localhost
#splunkUser = admin
#splunkPass = changeme


outputMode = file
fileName = /tmp/internal.log
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f


token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3,6}
token.1.replacementType = timestamp
token.1.replacement = %m-%d-%Y %H:%M:%S.%f


token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}.\d{3,6}
token.2.replacementType = timestamp
token.2.replacement = %d/%b/%Y:%H:%M:%S.%f


token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
token.3.replacementType = timestamp
token.3.replacement = %Y-%m-%d %H:%M:%S


token.4.token = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
token.4.replacementType = timestamp
token.4.replacement = %Y-%m-%dT%H:%M:%S

Now the below were some of the events in my .csv file which I had kept in samples directory

Oct 4 08:18:25 xyz.net Oct 4 08:18:06 xyzabc.net 1,2016/10/04 ............
Oct 4 08:19:25 xyz.net Oct 4 08:18:06 xyzabc.net 1,2016/10/04 ............

It's working fine but i'm seeing the events from my .csv file one after the other and the repeating those 2 lines in my sample file multiple times.

Now how can i restrict the eventgen to just index the .csv file for just one time? which means once all the lines in my .csv file get indexed, i don't want the eventgen to go back and start indexing again from line 1.

0 Karma
Highlighted

Re: Eventgen: How can i restrict Eventgen to just index a CSV file once instead of repeating again from line one?

Esteemed Legend

There is a new event generator in town and it is supposed to be easier to use and have much greater configurability:

https://github.com/coccyx/gogen/tree/master/splunk_app_gogen

0 Karma