The file output seems to max at 10MB and then rotates out. My concern is that it happens so fast that it's rotating out before Splunk has the chance to read it, or that it overflows at a single burst. The output file is persisently at 0 KB, with the rotated files are 10,275KB, so it is hard to see what exactly is happening. I'd like to change it to at least 100MB.
Came back to answer my own question. The root of my issues was that I was not including milliseconds in my logs. The reason I left them out at first was because I was struggling to find a regex that worked in Eventgen. I would test it in Splunk but, Eventgent would not take it. Eventually, I found and an extraction that worked for me:
After I did this, it worked much better, and I no longer had to output to file.
If you think about it, the time multiplier can't work very well if you have a large number of events in the same second.
Here is a tip: to have uniform time regexes in eventgen.conf, concatenate the datetime in a uniform format with the _raw field in the source data that you export. Eventgen will get the first date that it reads in the event line according to your regex. This eliminates a lot of the troubleshooting when trying to catch the date field, especially with logs that have multiple date time formats.