Solved: Re: Using SA Eventgen App, how do I generate the e...

koshyk · ‎09-11-2018

Have been using eventgen for quite some years, but still I can't figure out how to generate exactly the same events (of course timestamp and parameters changed) from a sample file.

Example, I've got a sample file with 10 events. All I need is these 10 events "sampled", just to ensure those 10 events happened in the last 1 hour. Here is a config example

# To generate 
mode = sample
sampletype = csv
backfill = -1h
earliest = -1h
latest = now
outputMode = file
fileName = /tmp/myeventGenfile.out

The above config generates the output file correctly, but the events are repeated by about 8x. So I will receive 80 events (8x cloning of original sample/seed file within matter of seconds).

Any idea to make sure it generates only 1x clone of the seed file?

PS: I tried putting options like (different combinations)

end=10   # thought it makes exactly 10 events and exit. But rather it waits to hit the timer of 10 events and multiplies
timeMultiple = 2  # This slows down, but cannot ensure exact events are output
backfill = -15min  # Played around various values

But none of the above works.

koshyk · ‎08-30-2019

The below config works

[yourstanza]
mode = sample
sampletype = csv

# backfill sufficiently
backfill = -15m
outputMode = file
fileName = /tmp/eventgen.test.log

# Interval chosen So that it won't be triggered within the time of execution
interval = 36000
earliest = -60m
latest = now

# END will determine exactly one replication
end=1

View solution in original post

koshyk · ‎08-30-2019

The below config works

[yourstanza]
mode = sample
sampletype = csv

# backfill sufficiently
backfill = -15m
outputMode = file
fileName = /tmp/eventgen.test.log

# Interval chosen So that it won't be triggered within the time of execution
interval = 36000
earliest = -60m
latest = now

# END will determine exactly one replication
end=1

coccyx · ‎09-11-2018

As I recall (been a while since I wrote it), Eventgen doesn't have a concept of "ending", it will always keep generating new data. What is your interval and count set to? Eventgen will generate count events every interval. What you're seeing most likely is that it is generating multiple intervals of events. By default, count=0, which means to use the whole file. With that default, what you're seeing is that every interval it'll keep just putting the whole file out.

koshyk · ‎09-11-2018

@coccyx thanks mate. I have count=0 (as it is default). So was thinking how to end it after 1st iteration. So what you are saying is to increase interval to a large value and cancel it out (or kill process) after x seconds?

coccyx · ‎09-11-2018

Default interval is 60 seconds. Yes, if you want to generate one and only one copy, set the interval up to an impossibly high number.

https://github.com/splunk/eventgen/blob/develop/splunk_eventgen/default/eventgen.conf#L22

It should be noted, you may find gogen to be a better experience and it supports the concept of ending after a number of intervals.

https://github.com/coccyx/gogen

koshyk · ‎09-13-2018

thanks again mate. If you can put the comment as an Answer, I will mark it as answer and upvote. Cheers again for your help

Using SA Eventgen App, how do I generate the exact same count of events from the sample file?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk