Hello, i have a problem with outputMode in EventGen 6.5.2.

In this case, i use 2 server installed Splunk Enterprise 8.0.1. Both hostname are SPLUNK8 and SPLUNK8-Eventgen. Only SPLUNK8-Eventgen installed with EventGen as Splunk Apps.

This is eventgen.conf that i used.

[sample.gentest1]
mode = sample
autotimestamp = true
interval = 3

outputMode = tcpout
index = main
host = host1.foobar.com

source = TCPout60000-to-HF
sourcetype = test

tcpDestinationHost = 10.10.91.103
tcpDestinationPort = 60000

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S

token.1.token = transType=(\w+)
token.1.replacementType = random
token.1.replacement = list[ "New", "New", "Change", "Change", "Change", "Delete" ]

token.2.token = transID=(\d+)
token.2.replacementType = random
token.2.replacement = integer[0:10000]

token.3.token = transGUID=([0-9a-fA-F]+)
token.3.replacementType = random
token.3.replacement = guid

token.4.token = userName=(\w+)
token.4.replacementType = file
token.4.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/userName.sample

token.5.token = city="(\w+)"
token.5.replacementType = mvfile
token.5.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:2

token.6.token = state=(\w+)
token.6.replacementType = mvfile
token.6.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:3

token.7.token = zip=(\d+)
token.7.replacementType = mvfile
token.7.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:1

token.8.token = value=(\d+)
token.8.replacementType = random
token.8.replacement = float[0.000:10.000]

This is inputs.conf from SPLUNK8

[default]
host = SPLUNK8-HF

[splunktcp://9997]
connection_host = ip

[udp://3333]
connection_host = ip
no_appending_timestamp = true
disabled = 0

[tcp://60000]
connection_host = ip
no_appending_timestamp = true
disabled = 0

This is outputs.conf from SPLUNK8

# Turn off indexing on the search head
[indexAndForward]
index = false

# If true, disables index filtering. Events for all indexes are then forwarded. Defaults to false.
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:my_search_peers]
server=10.10.91.102:9997

This is inputs.conf from SPLUNK8-Eventgen.

[default]
host = SPLUNK8-Eventgen

#[splunktcp://9997]
#connection_host = ip

#[udp://51400]
#connection_host = ip
#no_appending_timestamp = true
#disabled = 0

#[tcp://60000]
#connection_host = ip
#no_appending_timestamp = true
#disabled = 0

This is outputs.conf from SPLUNK8-Eventgen.

# Turn off indexing on the search head
[indexAndForward]
index = false

# If true, disables index filtering. Events for all indexes are then forwarded. Defaults to false.
#[tcpout]
#defaultGroup = my_search_peers
#forwardedindex.filter.disable = true
#indexAndForward = false

#[tcpout:my_search_peers]
#server=10.10.91.103:9997

From this configuration, SPLUNK8-Eventgen is supposed to send generated event to SPLUNK8 by using Port 60000. Because in eventgen.conf specify tcpDestinationHost and tcpDestinationPort to SPLUNK8.

But, SPLUNK8 does not receive generated event from SPLUNK8-Eventgen. Even there is no ESTABLISHED connection with Port 60000 between SPLUNK8 and SPLUNK8-Eventgen in netstat command line.

My question is :
1. Is outputMode only working by using PyPi Installation ?

Because when i use as Splunk Apps, outputMode became meaningless because it can not send generated event to SPLUNK8.

Even after i change outputMode from tcpout to udpout or httpevent. In SPLUNK8 side, i also enable Data Input in TCP, UDP dan HTTP Event Collector. Is it a bug or something ?