Re: Why is Eventgen not producing data with curren...

abeeber_2 · ‎04-01-2016

Hi Splunk et al,

I am working on using Eventgen to use access and secure logs.

My test/sample app works as I am seeing events in my data summary, but the timestamps are off. I am seeing the original date/time of the timestamps in my sample log; and not events with current dates and times.

How do I fix that?

Thanks,

Andrew

ps.. below is my code from my eventgen.conf in my sample app

[www1access.log]
index = access
outputMode = modinput
sourcetype = andrew_access
source = www1access.log
interval = 300
earliest=now
latest=now
maxIntervalsBeforeFlush = 1
host = www5

nagendra008 · ‎04-03-2016

Hi Abeeber,

Its best way to keep the field names on the top of the csv. Splunk will pick automatically the as field_name.

file1.csv:
_time,IP,lOC
2016-03-08T23:02:31.000+00:00,10.10.10.1,US
2016-03-08T23:02:31.000+00:00,10.10.10.2,JAP
2016-03-08T23:02:31.000+00:00,10.10.10.3,IND

settings -> Add Data, Monitor--> files and dir( file.csv)
After adding the data you can see in the props.conf -

[checking]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

You can directly search with the field names [ _time,IP,lOC ]

Regards,
Nagee.

Why is Eventgen not producing data with current timestamps?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Why is Eventgen not producing data with current timestamps?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2