Hi All,.
i have been following this doc:
http://splunk.github.io/eventgen/
created this file:
/opt/splunk/etc/apps/testapp/default/eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
updated the password:
splunkUser = admin
splunkPass = changeme
a sample file is already present at
/opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1
restarted the splunk. No events.
copied this above file to testapp
cp /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1 /opt/splunk/etc/apps/testapp/samples
restarted splunk. NO events.
Any help would be appreciated. thanks!
Settings
> Data Inputs
> Local Inputs
> SA-Eventgen
> Enable
When you are using SA-Eventgen
, by default the outputMode = modinput
instead of splunkstream
. So you can change the conf to:
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
Hi,
Try placing the eventgen.conf file under the $SPLUNK_HOME\etc\apps\your_app\local and then restart the Splunk.
Guys any solution for the above issue. It would be great if it can comment the solution here. I am also facing the same issue
@santoshkumar3 This question has an accepted answer. If it doesn't address your problem then you should post a new question.
Searched, read, tried all options at that doc link at point number 1, but still no luck.
Please provide me step by step configuration for few examples(file output, splunkstream output, replay, any other interesting methods and you can have my 50 karma points. Thanks
Tried that suggestions, but still no luck.
Any other suggestion please
Settings
> Data Inputs
> Local Inputs
> SA-Eventgen
> Enable
When you are using SA-Eventgen
, by default the outputMode = modinput
instead of splunkstream
. So you can change the conf to:
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
ya, i created this config file,.. modular input has been enabled. but no events yet.
[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]#
Do not use outputMode=splunkstream
. Check the conf in my answer.
ya, i updated the config file..
[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]#
I can get events after waiting for a while using the same config above. Try search index=main
to check the events.
Also check your testapp
has global permission.
testapp permissions modified to global. waited for few mins.. but no events yet.
should i restart splunk?
no need to restart splunk. I cannot reproduce your issue. You can have a check of the logs.
i see these logs on splunkd.log:
08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.awss3' from 'awss3.py'"}
08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.counter' from 'counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.devnull' from 'devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.file' from 'file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent' from 'httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent_core' from 'httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/metric_httpevent.py'"}
This is normal debug message and splunk add ERROR level to it.
I believe you did not read the doc carefully.
Your testapp
should be a bundle that has the following structure:
- samples/sample.tutorial1
- default/eventgen.conf
- metadata/default.meta
I can not get any error logs or more detail info from you and I can not give further advice.
The bundle structure i followed, but still no luck.
I can schedule a short meeting with you when you are available. Send me email with your available time: lwu@splunk.com
. Thanks.
Any updates please