All Apps and Add-ons

Eventgen basic configuration, but still not generating any events

inventsekar
Ultra Champion

Hi All,.
i have been following this doc:
http://splunk.github.io/eventgen/

  1. a fresh splunk installation
  2. splunk eventgen installed as a Splunk App.
  3. created a sample app (testapp)
  4. given permission as "All apps (system)"
  5. created this file:
    /opt/splunk/etc/apps/testapp/default/eventgen.conf

    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    outputMode = splunkstream
    splunkHost = localhost
    splunkUser = admin
    splunkPass = changeme

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

    updated the password:
    splunkUser = admin
    splunkPass = changeme

  6. a sample file is already present at
    /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1

  7. restarted the splunk. No events.

  8. copied this above file to testapp
    cp /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1 /opt/splunk/etc/apps/testapp/samples

  9. restarted splunk. NO events.

Any help would be appreciated. thanks!

0 Karma
1 Solution

lwu_splunk
Splunk Employee
Splunk Employee
  1. First you need to enable Eventgen modular input. Settings > Data Inputs > Local Inputs > SA-Eventgen > Enable
  2. When you are using SA-Eventgen, by default the outputMode = modinput instead of splunkstream. So you can change the conf to:
    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

View solution in original post

0 Karma

meghasahai
Engager

Hi,

Try placing the eventgen.conf file under the $SPLUNK_HOME\etc\apps\your_app\local and then restart the Splunk.

0 Karma

santoshkumar3
Engager

Guys any solution for the above issue. It would be great if it can comment the solution here. I am also facing the same issue

richgalloway
SplunkTrust
SplunkTrust

@santoshkumar3 This question has an accepted answer. If it doesn't address your problem then you should post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

inventsekar
Ultra Champion

Searched, read, tried all options at that doc link at point number 1, but still no luck.

Please provide me step by step configuration for few examples(file output, splunkstream output, replay, any other interesting methods and you can have my 50 karma points. Thanks

0 Karma

inventsekar
Ultra Champion

Tried that suggestions, but still no luck.
Any other suggestion please

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee
  1. First you need to enable Eventgen modular input. Settings > Data Inputs > Local Inputs > SA-Eventgen > Enable
  2. When you are using SA-Eventgen, by default the outputMode = modinput instead of splunkstream. So you can change the conf to:
    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

0 Karma

inventsekar
Ultra Champion

ya, i created this config file,.. modular input has been enabled. but no events yet.

[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]#

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

Do not use outputMode=splunkstream. Check the conf in my answer.

0 Karma

inventsekar
Ultra Champion

ya, i updated the config file..

[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]#

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I can get events after waiting for a while using the same config above. Try search index=main to check the events.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

Also check your testapp has global permission.

0 Karma

inventsekar
Ultra Champion

testapp permissions modified to global. waited for few mins.. but no events yet.
should i restart splunk?

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

no need to restart splunk. I cannot reproduce your issue. You can have a check of the logs.

0 Karma

inventsekar
Ultra Champion

i see these logs on splunkd.log:

08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.awss3' from 'awss3.py'"}
08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.counter' from 'counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.devnull' from 'devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.file' from 'file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent' from 'httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent_core' from 'httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/metric_httpevent.py'"}

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

This is normal debug message and splunk add ERROR level to it.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I believe you did not read the doc carefully.
Your testapp should be a bundle that has the following structure:
- samples/sample.tutorial1
- default/eventgen.conf
- metadata/default.meta

I can not get any error logs or more detail info from you and I can not give further advice.

0 Karma

inventsekar
Ultra Champion

The bundle structure i followed, but still no luck.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I can schedule a short meeting with you when you are available. Send me email with your available time: lwu@splunk.com. Thanks.

0 Karma

inventsekar
Ultra Champion

Any updates please

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...