All Apps and Add-ons

Eventgen basic configuration, but still not generating any events

inventsekar
SplunkTrust
SplunkTrust

Hi All,.
i have been following this doc:
http://splunk.github.io/eventgen/

  1. a fresh splunk installation
  2. splunk eventgen installed as a Splunk App.
  3. created a sample app (testapp)
  4. given permission as "All apps (system)"
  5. created this file:
    /opt/splunk/etc/apps/testapp/default/eventgen.conf

    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    outputMode = splunkstream
    splunkHost = localhost
    splunkUser = admin
    splunkPass = changeme

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

    updated the password:
    splunkUser = admin
    splunkPass = changeme

  6. a sample file is already present at
    /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1

  7. restarted the splunk. No events.

  8. copied this above file to testapp
    cp /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1 /opt/splunk/etc/apps/testapp/samples

  9. restarted splunk. NO events.

Any help would be appreciated. thanks!

0 Karma
1 Solution

lwu_splunk
Splunk Employee
Splunk Employee
  1. First you need to enable Eventgen modular input. Settings > Data Inputs > Local Inputs > SA-Eventgen > Enable
  2. When you are using SA-Eventgen, by default the outputMode = modinput instead of splunkstream. So you can change the conf to:
    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

View solution in original post

0 Karma

meghasahai
Engager

Hi,

Try placing the eventgen.conf file under the $SPLUNK_HOME\etc\apps\your_app\local and then restart the Splunk.

0 Karma

santoshkumar3
Engager

Guys any solution for the above issue. It would be great if it can comment the solution here. I am also facing the same issue

richgalloway
SplunkTrust
SplunkTrust

@santoshkumar3 This question has an accepted answer. If it doesn't address your problem then you should post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Searched, read, tried all options at that doc link at point number 1, but still no luck.

Please provide me step by step configuration for few examples(file output, splunkstream output, replay, any other interesting methods and you can have my 50 karma points. Thanks

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Tried that suggestions, but still no luck.
Any other suggestion please

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee
  1. First you need to enable Eventgen modular input. Settings > Data Inputs > Local Inputs > SA-Eventgen > Enable
  2. When you are using SA-Eventgen, by default the outputMode = modinput instead of splunkstream. So you can change the conf to:
    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

0 Karma

inventsekar
SplunkTrust
SplunkTrust

ya, i created this config file,.. modular input has been enabled. but no events yet.

[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]#

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

Do not use outputMode=splunkstream. Check the conf in my answer.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

ya, i updated the config file..

[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]#

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I can get events after waiting for a while using the same config above. Try search index=main to check the events.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

Also check your testapp has global permission.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

testapp permissions modified to global. waited for few mins.. but no events yet.
should i restart splunk?

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

no need to restart splunk. I cannot reproduce your issue. You can have a check of the logs.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

i see these logs on splunkd.log:

08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.awss3' from 'awss3.py'"}
08-30-2019 05:10:36.475 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.counter' from 'counter.py'"}
08-30-2019 05:10:36.478 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.devnull' from 'devnull.py'"}
08-30-2019 05:10:36.481 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.file' from 'file.py'"}
08-30-2019 05:10:36.483 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent' from 'httpevent.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Loading module 'output.httpevent_core' from 'httpevent_core.py'"}
08-30-2019 05:10:36.515 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-08-30 05:10:36 eventgen DEBUG MainProcess {'event': "Searching for plugin in file '/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/output/metric_httpevent.py'"}

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

This is normal debug message and splunk add ERROR level to it.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I believe you did not read the doc carefully.
Your testapp should be a bundle that has the following structure:
- samples/sample.tutorial1
- default/eventgen.conf
- metadata/default.meta

I can not get any error logs or more detail info from you and I can not give further advice.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

The bundle structure i followed, but still no luck.

0 Karma

lwu_splunk
Splunk Employee
Splunk Employee

I can schedule a short meeting with you when you are available. Send me email with your available time: lwu@splunk.com. Thanks.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Any updates please

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...