Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Test Triggering Events in Splunk Enterprise

Sherminator
Engager
a week ago

Hello, 

We have a large number of dashboards and queries in our Splunk instance, and some of those are meant for monitoring security-relevant events that never really occur. I'm working toward setting up a service/executable to send WinEVT codes for each event we monitor via a test account. This would allow us to confirm that we are indeed successfully monitoring for events, and aren't missing anything.

Currently, I'm failing to get the list of event IDs to write on a Windows host. Is ther another method I could use to ingest a list of event IDs into Splunk to prove our dashboards/queries are working correctly? I realize I could go and physically perform each of the monitored activities, but that would take forever and a day.

Thanks in advance for any help!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @Sherminator 

You could look at using https://splunkbase.splunk.com/app/1924 Eventgen - there used to be an eventgen config inside the Splunk_TA_windows app but Ive just checked the latest version and it isnt there...you may find it in a previous version though.

There are also some sample events in https://github.com/splunk/security_content/tree/develop/data_sources which might be helpful.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

Sherminator
Engager
a week ago

Thank you for your response, I will look into this!

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
a week ago

Hi @Sherminator , 

1) the EventGen is a great tool but Super Poorly documented one. I have struggled with that multiple times and all went to failures. 
i would suggest you, give it a try, if it takes hours and hours, stop there, check the other options
2) the other option.. the security content-->data_sources is a good one(i would suggest try this one first, than the EventGen)

for example:
https://github.com/splunk/security_content/blob/develop/data_sources/windows_event_log_security_1100...
got an example_log at the lower side of that page. 

Pls provide us some more details:
1) OnPrim or Splunk Cloud
2) using HF or not
3) Test Triggering Events, from Windows hosts or Linux hosts, etc..



----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
----------------------------------------------------------------------------------------------

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...