Hello dear SPlunkers. I'm trying to generate some access log data in Splunk by Eventgen but I might be doing something wrong.
1) Created "test_app" folder in splunk/etc/apps
2) Have put eventgen in test_app/default/
3) Got some access log samples from Splunk TA Apache
Please find attached screenshots below. Thanks in advance!
Notwithstanding any issues with your sample and config, ensure the following 2 basic setup tasks have been done:
Can you pls check this out? https://www.splunk.com/blog/2013/07/31/an-easy-way-to-generate-sample-data.html
you need to have your sample file, eventgen.conf and optionally inputs.conf to be able to re-play samples to create events for you.
If Splunk TA Apache have samples and eventgen.conf as part of the app, if you enable your SA-eventgen app and restart your instance, it should work and generate events. [ eventgen to be used only in dev/testing and not in live]
I tried this steps too. No use, still getting no data but some errors like:
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work
Is eventgen working for any other samples in your env? [ you can also use the GUI in the eventgen to help troubleshoot]
Nope it is not. How do I use GUI in the EvGen?
Logon to splunk user interface, go to 'Apps' at the top and select 'Manage Apps'. Then navigate to SA-eventgen app and click 'Launch app'. This will bring the GUI and you can enter your sample OR select 'All'.
if the app is not enabled, please enable the app.
I tried to do it, but EvGen just opens it like a new search 😕
Seems a new and better version of eventgen is available. Pls check and install this and re-test your scenario. The docs also appear better and all in one place now. - https://splunkbase.splunk.com/app/1924/#/details
@damiko
Are you using the latest Eventgen ?? https://splunkbase.splunk.com/app/1924
Can you please check, SA-Eventgen as an input under Settings>Data inputs are enabled?.
see: http://splunk.github.io/eventgen/SETUP.html#Finishing%20the%20Install
My comments with error messages keep getting deleted o_o.
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work
Yes, I'm using the latest EvGen and Yes Data inputs are enabled.
@damiko
Can you please share your sample events and sample values?
Sure, no problem. However, where do I get sample events? Sorry, new to Splunk 🙂
https://ibb.co/X2RBdN9
https://ibb.co/ynCDcRm
It would be great if you gave me the first line (As a text) from apache_access_log.sample.
:)
I've so many error there, wow.
Here are some examples:
10.0.0.48 - damir [05/Mar/2019:16:10:17.323 +0600] "GET /en-US/splunkd/_raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=test_app&search=search+index%3D%22_internal%22+eventgen+ERROR&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1551779967811 HTTP/1.1" 200 5502 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" - 99870ee535dcbf8f5b8c46463a93530a 70ms
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" NameError: global name 'get_time_difference' is not defined
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" raise e
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work
Oh, ok. My bad 😄
Please check below:
There are 3 cell symbols before SRC, but they keep being deleted in a comment, not in splunk folder 🙂
SRC_IP ### ### SITE ### - ### USER ### 80 [03/May/2016:12:59:05 -0700] "GET /server-status?auto HTTP/1.1" "?auto" 200 871 "-" "### USER_AGENT ###" 146 1024 1253
Thanks @damiko
Meanwhile can you please check any backend error in splunkd?? Just execute below search/
index="_internal" eventgen ERROR
From the samples
folder. See your screenshot screenshot-89.png .
Please follow the links I've added on my previous comment.