All Apps and Add-ons

Eventgen : No data is generated

amiftah
Communicator

Hello,

I installed eventgen from https://github.com/splunk/eventgen, followed the instructions explained here https://www.youtube.com/watch?v=9S-ZeGEfRKg&feature=youtu.be&hd=1 by letter
1- execute index=_internal | reverse | fields index, host, source, sourcetype, _raw, _time, then export data to splunk_internal.csv, and rename _internal with main
2- create a new App invisible
3- create a directory samples put in it my csv
4- add eventgen.conf to directory local,
5- rename stanza with my file name.
6- restart splunk
7- when i execute * command, all I got is:

Période    Événement
23/03/17 16:40:08,000   
errorCode=400
host =  hots34 source = C:\Program Files\Splunk\etc/apps/tado/bin/zone1.py sourcetype = tado:zone
23/03/17 16:40:08,000   
errorCode=400
host =  hots34 source = C:\Program Files\Splunk\etc/apps/tado/bin/zone0.py sourcetype = tado:zone

here's my eventgen.conf:

[splunk_internal.csv]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

outputMode = stdout
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

# outputMode = file
# fileName = /tmp/internal.log

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3,6}
token.1.replacementType = timestamp
token.1.replacement = %m-%d-%Y %H:%M:%S.%f

token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}.\d{3,6}
token.2.replacementType = timestamp
token.2.replacement = %d/%b/%Y:%H:%M:%S.%f

token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
token.3.replacementType = timestamp
token.3.replacement = %Y-%m-%d %H:%M:%S

token.4.token = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
token.4.replacementType = timestamp
token.4.replacement = %Y-%m-%dT%H:%M:%S

thank you!

PS. Im running this on windows10
splunk entreprise 6.5

0 Karma

sstuart_splunk
Splunk Employee
Splunk Employee
 # outputMode = file
 # fileName = /tmp/internal.log

uncomment those...
then it will output it to your file names internal.log

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...