Re: How to Get Eventgen working?

skoelpin · ‎12-21-2017

I installed eventgen and watched the tutorial videos. I created a new app, changed the permissions to global, created a sample folder inside the new app, dropped my sample file in /opt/splunk/etc/apps/internal_app/samples, then moved the eventgen.conf.tutorial file to /opt/splunk/etc/apps/internal_app/local, renamed it to eventgen.conf, uncommented out the lines, referenced my sample file in the stanza, and restarted Splunk. After restarting, I see zero data flowing into the main index which is the one I specified in eventgen.conf.

When I do a search on the internal logs, /opt/splunk/var/log/splunk/eventgen.log I can see my data sample along with Splunk saying it backfilled successfully.

I'm stumped as to why this isn't generating data

Here's my eventgen.conf file

[Test_Data.txt]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=eventgen

outputMode = stdout
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme


token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

Here's what I'm seeing in the internal logs

2017-12-21 14:01:38,605 INFO module='Timer' sample='Test_Data.txt': Stopping timer for sample 'Test_Data.txt'
host =  MCxxxxxxxxx source =/opt/splunk/var/log/splunk/eventgen.log sourcetype =eventgen

12/21/17 1:54:11.032 PM 
2017-12-21 13:54:11,032 INFO module='Timer' sample='Test_Data.txt': Backfill complete

inventsekar · ‎08-26-2019

EventGen is an important tool and at the same time, making it work looks like a very difficult task.
Poor documentation. God please save me.
Adding to the issue, like adding fuel to the fire, that video mentioned was removed.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

cboillot · ‎08-30-2019

I, too, am not able to get this to work at all.

Ohiotech · ‎05-07-2019

After installing the event gen manually (did not path correctly with directions), I added the SA-Eventgen app through the manage apps\ install from file. The trick for me was to go into the Data Input/SA-Eventgen input and enable it. (disabled during install). Events were there within minutes after a restart.

ian_thomas · ‎06-20-2019

This fixed my issue. Thanks!

harsmarvania57 · ‎12-22-2017

Hi @skoelpin,

I have created sample app with eventgen configuration and it is working fine.

Steps which I have followed
1. Installed eventgen app on splunk.
2. Created new app with name "test_app"
3. Created $SPLUNK_HOME/etc/app/test_app/default/eventgen.conf with below content

[test_data\.txt]
interval = 60
earliest = -60m
latest = now
sourcetype = test_st
source = eventgen
disabled=0
token.0.token = TTTTTTTT
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

Created $SPLUNK_HOME/etc/apps/test_app/samples/test_data.txt file with below content

TTTTTTTT transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

Below content added into $SPLUNK_HOME/etc/apps/test_app/metadata/default.data
```
   [eventgen]
access = read : [ * ], write : [ admin ]
export = system
```

Restarted splunk service
And I can see data in splunk with query index=main sourcetype=test_st and events generated with eventgen are

   2017-12-22 16:19:59,595283 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0
2017-12-22 16:17:11,647706 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

EDIT:

Tried with eventgen.conf which is provided in original question with some modification

[test_data\.txt]
mode = replay
timeMultiple = 2
backfill = -60m
backfillSearch = index=main source=eventgen

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

And $SPLUNK_HOME/etc/apps/test_app/samples/test_data.txt with content

2017-10-14 11:12:13,567 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

This is also backfilling data perfectly fine.

It looks you don't have any data in splunk while running backfill query index=main sourcetype=eventgen that's why eventgen is not backfilling any data.

I hope this helps.

Thanks,
Harshil

skoelpin · ‎12-22-2017

Thanks for your detailed response. I copied your directions and have an identical setup to yours and it is still not streaming data in with that sourcetype. Does it take awhile before it starts generating?

harsmarvania57 · ‎12-22-2017

It will generate events within 5 minutes after splunk restart. Can you please post some logs from eventgen.log file for test_data.txt file.

Penkov · ‎12-12-2018

Hi, harsmarvania57,
Thanks for your detailed response.But i have the same problem like "skoelpin" and i wait maybe 10 or 15 minutes and i don't receive any events from eventgen.

harsmarvania57 · ‎12-12-2018

Hi @Penkov,

I am not sure what problem are you facing but you can try Gogen instead of Eventgen https://github.com/coccyx/gogen , this also generate dummy data but I never tried this.

Penkov · ‎12-12-2018

Thanks @harsmarvania57 for your answer. My problem is that i can't run eventgen and create any type of event. I try to copied your directions and have an identical setup to yours and it is still not streaming data in with that sourcetype.

harsmarvania57 · ‎12-12-2018

Which version of Splunk are you running ? and Is it standalone instance, if not standalone then on which instance you installed eventgen ? It will be good to start new question with required information and refer this question link in your new question.

naidusadanala · ‎12-21-2017

Replace [Test_Data.txt] with [Test_Data] , Restart the server.

It should work.

Please let us know

mayurr98 · ‎12-21-2017

Hey

Use this link

https://youtu.be/9S-ZeGEfRKg

1) download eventgen from https://github.com/splunk/eventgen
2) extract it to etc/apps/SA-Eventgen (yes, it should be named that to eventgen).
3) review Eventgen in Manage Apps, you may want to make it visible.
4) Restart Splunk
eventgen.conf and samples in them that are ready to go

skoelpin · ‎12-21-2017

I've watched that video about 4x over now and have an identical setup and it will not generate events!

rsharma4 · ‎08-24-2022

eventgen's documentation is pathetic.

Also: gogen examples skip index names from config files - a basic getting started example is all that was needed!

https://github.com/halr9000/gogen-1/blob/master/README/Tutorial.md

How to Get Eventgen working?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?