Re: SA-Eventgen replay - leaking events with backf...

ldongradi_splun · ‎08-29-2020

I'd like to replay a log, simulating prod, and continuously generating events (every 30 seconds is fine).

I'm all good with sample mode, but it looks like I can only have random timestamps between earliest/latest. As with this code, giving my 28k events generated again and again every 30s with new timestamps from -1w till now. Problem is I'd like to keep the sequence of events.

Can I have sample mode not scramble the timestamps ?

[myfile.sample]
mode = sample
outputMode = file
fileName =/opt/log/mynew.log
interval = 30
earliest=-1w
latest=now

token.0.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %d/%b/%Y:%T

Instead, I am trying replay mode. But I can't get the outputfile generated. Nothing.

What is wrong with my replay mode?

[myfile.sample]
mode = replay
outputMode = file
fileName =/opt/log/mynew.log
count = 0
interval = 30
earliest=now
latest=now

token.0.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}
token.0.replacementType = replaytimestamp
token.0.replacement = %d/%b/%Y:%T

Thanks for your help.

ldongradi_splun · ‎08-30-2020

Almost there!

I had a bad substitution in the regex, missing \/ for / as eventgen logs told me.

Now, trying to replay 1 event at a time from that big 10k raw sample.

Can I use specific timestamps with SA-Eventgen in sample mode?

development

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!