Archive
Highlighted

Eventgen basic configuration, but still not generating any events

Champion

Hi All,.
i have been following this doc:
http://splunk.github.io/eventgen/

  1. a fresh splunk installation
  2. splunk eventgen installed as a Splunk App.
  3. created a sample app (testapp)
  4. given permission as "All apps (system)"
  5. created this file:
    /opt/splunk/etc/apps/testapp/default/eventgen.conf

    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    outputMode = splunkstream
    splunkHost = localhost
    splunkUser = admin
    splunkPass = changeme

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

    updated the password:
    splunkUser = admin
    splunkPass = changeme

  6. a sample file is already present at
    /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1

  7. restarted the splunk. No events.

  8. copied this above file to testapp
    cp /opt/splunk/etc/apps/SA-Eventgen/samples/sample.tutorial1 /opt/splunk/etc/apps/testapp/samples

  9. restarted splunk. NO events.

Any help would be appreciated. thanks!

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Champion

Any updates please

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Splunk Employee
Splunk Employee
  1. First you need to enable Eventgen modular input. Settings > Data Inputs > Local Inputs > SA-Eventgen > Enable
  2. When you are using SA-Eventgen, by default the outputMode = modinput instead of splunkstream. So you can change the conf to:
    [sample.tutorial1]
    mode = replay
    sampletype = csv
    timeMultiple = 2
    backfill = -15m
    backfillSearch = index=main sourcetype=splunkd

    token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
    token.0.replacementType = timestamp
    token.0.replacement = %Y-%m-%d %H:%M:%S,%f

View solution in original post

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Champion

ya, i created this config file,.. modular input has been enabled. but no events yet.

[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]#

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Splunk Employee
Splunk Employee

Do not use outputMode=splunkstream. Check the conf in my answer.

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Champion

ya, i updated the config file..

[root@ip-address default]# more eventgen.conf
[sample.tutorial1]
mode = replay
sampletype = csv
timeMultiple = 2
backfill = -15m
backfillSearch = index=main sourcetype=splunkd

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f
[root@ip-address default]# pwd
/opt/splunk/etc/apps/testapp/default
[root@ip-address default]#

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Splunk Employee
Splunk Employee

I can get events after waiting for a while using the same config above. Try search index=main to check the events.

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Splunk Employee
Splunk Employee

Also check your testapp has global permission.

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Champion

testapp permissions modified to global. waited for few mins.. but no events yet.
should i restart splunk?

0 Karma
Highlighted

Re: Eventgen basic configuration, but still not generating any events

Splunk Employee
Splunk Employee

no need to restart splunk. I cannot reproduce your issue. You can have a check of the logs.

0 Karma