Archive

Eventgen is not generating any data.

Communicator

Hello dear SPlunkers. I'm trying to generate some access log data in Splunk by Eventgen but I might be doing something wrong.
1) Created "test_app" folder in splunk/etc/apps
2) Have put eventgen in test_app/default/
3) Got some access log samples from Splunk TA Apache

Please find attached screenshots below. Thanks in advance!

0 Karma

Explorer

Notwithstanding any issues with your sample and config, ensure the following 2 basic setup tasks have been done:

  1. Enable the eventgen modular input. I'm using version 6.5.2 where is it disabled by default.
  2. Set your app to global permissions. This is where I got stuck and having skim read the manual couple times, failed to read the final paragraph where it is mentioned.
0 Karma

SplunkTrust
SplunkTrust

Can you pls check this out? https://www.splunk.com/blog/2013/07/31/an-easy-way-to-generate-sample-data.html

you need to have your sample file, eventgen.conf and optionally inputs.conf to be able to re-play samples to create events for you.

If Splunk TA Apache have samples and eventgen.conf as part of the app, if you enable your SA-eventgen app and restart your instance, it should work and generate events. [ eventgen to be used only in dev/testing and not in live]

0 Karma

Communicator

I tried this steps too. No use, still getting no data but some errors like:
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

0 Karma

SplunkTrust
SplunkTrust

Is eventgen working for any other samples in your env? [ you can also use the GUI in the eventgen to help troubleshoot]

0 Karma

Communicator

Nope it is not. How do I use GUI in the EvGen?

0 Karma

SplunkTrust
SplunkTrust

Logon to splunk user interface, go to 'Apps' at the top and select 'Manage Apps'. Then navigate to SA-eventgen app and click 'Launch app'. This will bring the GUI and you can enter your sample OR select 'All'.

if the app is not enabled, please enable the app.

0 Karma

Communicator

I tried to do it, but EvGen just opens it like a new search 😕

0 Karma

SplunkTrust
SplunkTrust

Seems a new and better version of eventgen is available. Pls check and install this and re-test your scenario. The docs also appear better and all in one place now. - https://splunkbase.splunk.com/app/1924/#/details

0 Karma

SplunkTrust
SplunkTrust

@damiko

Are you using the latest Eventgen ?? https://splunkbase.splunk.com/app/1924

Can you please check, SA-Eventgen as an input under Settings>Data inputs are enabled?.

see: http://splunk.github.io/eventgen/SETUP.html#Finishing%20the%20Install

0 Karma

Communicator

My comments with error messages keep getting deleted o_o.

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

0 Karma

Communicator

Yes, I'm using the latest EvGen and Yes Data inputs are enabled.

0 Karma

SplunkTrust
SplunkTrust

@damiko

Can you please share your sample events and sample values?

0 Karma

Communicator

Sure, no problem. However, where do I get sample events? Sorry, new to Splunk 🙂
https://ibb.co/X2RBdN9
https://ibb.co/ynCDcRm

0 Karma

SplunkTrust
SplunkTrust

@damiko

It would be great if you gave me the first line (As a text) from apache_access_log.sample.
:)

Communicator

I've so many error there, wow.
Here are some examples:

10.0.0.48 - damir [05/Mar/2019:16:10:17.323 +0600] "GET /en-US/splunkd/_raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=test_app&search=search+index%3D%22_internal%22+eventgen+ERROR&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1551779967811 HTTP/1.1" 200 5502 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" - 99870ee535dcbf8f5b8c46463a93530a 70ms

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" NameError: global name 'get_time_difference' is not defined

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" raise e

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

0 Karma

Communicator

Oh, ok. My bad 😄
Please check below:
There are 3 cell symbols before SRC, but they keep being deleted in a comment, not in splunk folder 🙂

SRC_IP ### ### SITE ### - ### USER ### 80 [03/May/2016:12:59:05 -0700] "GET /server-status?auto HTTP/1.1" "?auto" 200 871 "-" "### USER_AGENT ###" 146 1024 1253

0 Karma

SplunkTrust
SplunkTrust

Thanks @damiko

Meanwhile can you please check any backend error in splunkd?? Just execute below search/

index="_internal" eventgen ERROR

SplunkTrust
SplunkTrust

From the samples folder. See your screenshot screenshot-89.png .

Communicator

Please follow the links I've added on my previous comment.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!