Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use specific timestamps with SA-Eventgen in sample mode?

ldongradi_splun
Splunk Employee
Splunk Employee
‎08-29-2020 02:26 AM

I'd like to replay a log, simulating prod, and continuously generating events (every 30 seconds is fine).

I'm all good with sample mode, but it looks like I can only have random timestamps between earliest/latest. As with this code, giving my 28k events generated again and again every 30s with new timestamps from -1w till now. Problem is I'd like to keep the sequence of events.

Can I have sample mode not scramble the timestamps ?

 

[myfile.sample]
mode = sample
outputMode = file
fileName =/opt/log/mynew.log
interval = 30
earliest=-1w
latest=now

token.0.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %d/%b/%Y:%T

 

Instead, I am trying replay mode. But I can't get the outputfile generated. Nothing.

What is wrong with my replay mode?

 

[myfile.sample]
mode = replay
outputMode = file
fileName =/opt/log/mynew.log
count = 0
interval = 30
earliest=now
latest=now

token.0.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}
token.0.replacementType = replaytimestamp
token.0.replacement = %d/%b/%Y:%T

 

Thanks for your help.

Labels (1)
Labels
0 Karma
Reply

ldongradi_splun
Splunk Employee
Splunk Employee
‎08-30-2020 03:30 AM

Almost there!

I had a bad substitution in the regex, missing \/ for / as eventgen logs told me.

Now, trying to replay 1 event at a time from that big 10k raw sample. 

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...