Hello, i have a problem with outputMode in EventGen 6.5.2.
In this case, i use 2 server installed Splunk Enterprise 8.0.1. Both hostname are SPLUNK8 and SPLUNK8-Eventgen. Only SPLUNK8-Eventgen installed with EventGen as Splunk Apps.
This is eventgen.conf that i used.
[sample.gentest1]
mode = sample
autotimestamp = true
interval = 3
outputMode = tcpout
index = main
host = host1.foobar.com
source = TCPout60000-to-HF
sourcetype = test
tcpDestinationHost = 10.10.91.103
tcpDestinationPort = 60000
token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S
token.1.token = transType=(\w+)
token.1.replacementType = random
token.1.replacement = list[ "New", "New", "Change", "Change", "Change", "Delete" ]
token.2.token = transID=(\d+)
token.2.replacementType = random
token.2.replacement = integer[0:10000]
token.3.token = transGUID=([0-9a-fA-F]+)
token.3.replacementType = random
token.3.replacement = guid
token.4.token = userName=(\w+)
token.4.replacementType = file
token.4.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/userName.sample
token.5.token = city="(\w+)"
token.5.replacementType = mvfile
token.5.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:2
token.6.token = state=(\w+)
token.6.replacementType = mvfile
token.6.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:3
token.7.token = zip=(\d+)
token.7.replacementType = mvfile
token.7.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/lib/splunk_eventgen/samples/markets.sample:1
token.8.token = value=(\d+)
token.8.replacementType = random
token.8.replacement = float[0.000:10.000]
This is inputs.conf from SPLUNK8
[default]
host = SPLUNK8-HF
[splunktcp://9997]
connection_host = ip
[udp://3333]
connection_host = ip
no_appending_timestamp = true
disabled = 0
[tcp://60000]
connection_host = ip
no_appending_timestamp = true
disabled = 0
This is outputs.conf from SPLUNK8
# Turn off indexing on the search head
[indexAndForward]
index = false
# If true, disables index filtering. Events for all indexes are then forwarded. Defaults to false.
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.91.102:9997
This is inputs.conf from SPLUNK8-Eventgen.
[default]
host = SPLUNK8-Eventgen
#[splunktcp://9997]
#connection_host = ip
#[udp://51400]
#connection_host = ip
#no_appending_timestamp = true
#disabled = 0
#[tcp://60000]
#connection_host = ip
#no_appending_timestamp = true
#disabled = 0
This is outputs.conf from SPLUNK8-Eventgen.
# Turn off indexing on the search head
[indexAndForward]
index = false
# If true, disables index filtering. Events for all indexes are then forwarded. Defaults to false.
#[tcpout]
#defaultGroup = my_search_peers
#forwardedindex.filter.disable = true
#indexAndForward = false
#[tcpout:my_search_peers]
#server=10.10.91.103:9997
From this configuration, SPLUNK8-Eventgen is supposed to send generated event to SPLUNK8 by using Port 60000. Because in eventgen.conf specify tcpDestinationHost and tcpDestinationPort to SPLUNK8.
But, SPLUNK8 does not receive generated event from SPLUNK8-Eventgen. Even there is no ESTABLISHED connection with Port 60000 between SPLUNK8 and SPLUNK8-Eventgen in netstat command line.
My question is :
1. Is outputMode only working by using PyPi Installation ?
Because when i use as Splunk Apps, outputMode became meaningless because it can not send generated event to SPLUNK8.
Even after i change outputMode from tcpout to udpout or httpevent. In SPLUNK8 side, i also enable Data Input in TCP, UDP dan HTTP Event Collector. Is it a bug or something ?
Yes, outputMode
only works by using PyPi module. Eventgen Splunk App uses modinput
as outputMode
.
Yes, outputMode
only works by using PyPi module. Eventgen Splunk App uses modinput
as outputMode
.
Thank you for your clarification