Have been using eventgen for quite some years, but still I can't figure out how to generate exactly the same events (of course timestamp and parameters changed) from a sample file.
Example, I've got a sample file with 10 events. All I need is these 10 events "sampled", just to ensure those 10 events happened in the last 1 hour. Here is a config example
# To generate
mode = sample
sampletype = csv
backfill = -1h
earliest = -1h
latest = now
outputMode = file
fileName = /tmp/myeventGenfile.out
The above config generates the output file correctly, but the events are repeated by about 8x. So I will receive 80 events (8x cloning of original sample/seed file within matter of seconds).
Any idea to make sure it generates only 1x clone of the seed file?
PS: I tried putting options like (different combinations)
end=10 # thought it makes exactly 10 events and exit. But rather it waits to hit the timer of 10 events and multiplies
timeMultiple = 2 # This slows down, but cannot ensure exact events are output
backfill = -15min # Played around various values
But none of the above works.
The below config works
[yourstanza]
mode = sample
sampletype = csv
# backfill sufficiently
backfill = -15m
outputMode = file
fileName = /tmp/eventgen.test.log
# Interval chosen So that it won't be triggered within the time of execution
interval = 36000
earliest = -60m
latest = now
# END will determine exactly one replication
end=1
The below config works
[yourstanza]
mode = sample
sampletype = csv
# backfill sufficiently
backfill = -15m
outputMode = file
fileName = /tmp/eventgen.test.log
# Interval chosen So that it won't be triggered within the time of execution
interval = 36000
earliest = -60m
latest = now
# END will determine exactly one replication
end=1
As I recall (been a while since I wrote it), Eventgen doesn't have a concept of "ending", it will always keep generating new data. What is your interval and count set to? Eventgen will generate count events every interval. What you're seeing most likely is that it is generating multiple intervals of events. By default, count=0, which means to use the whole file. With that default, what you're seeing is that every interval it'll keep just putting the whole file out.
@coccyx thanks mate. I have count=0 (as it is default). So was thinking how to end it after 1st iteration. So what you are saying is to increase interval to a large value and cancel it out (or kill process) after x seconds?
Default interval is 60 seconds. Yes, if you want to generate one and only one copy, set the interval up to an impossibly high number.
https://github.com/splunk/eventgen/blob/develop/splunk_eventgen/default/eventgen.conf#L22
It should be noted, you may find gogen to be a better experience and it supports the concept of ending after a number of intervals.
thanks again mate. If you can put the comment as an Answer, I will mark it as answer and upvote. Cheers again for your help