Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Flood Splunk with test data to performance test real time dashboards and to war game

neleisla
New Member
‎05-08-2017 07:13 AM

Hi,

I want to flood splunk with a high number of test data to be able to identify flaws in the current alerting and monitoring systems I have in place. The test data will:
- Check whether there is any data loss i.e. no alerts sent etc
- Identify any performance issues with real time dashboards
- Help identify flaws in human process

The test data should not interfere with the real data being recorded and should be easily removed from Splunk logs.

Can anyone suggest the best way to do this?

Thanks
N

0 Karma
Reply

timpacl
Path Finder
‎05-17-2017 01:34 PM

Another consideration is the impact of large ingestion of test data on your data retention across all indexes. If you operate near the maxVolumeDataSizeMB, the test data can cause your other data to drop/archive early due to drive space considerations.

0 Karma
Reply

adonio
Ultra Champion
‎05-08-2017 07:34 AM

Hello neleisla,
you can achieve this with the Event Generator, read here:
https://splunkbase.splunk.com/app/1924/
download here:
https://github.com/splunk/eventgen
another option is to create a script that generates huge dumb files and have splunk constantly monitor that file.
if you want the data to not interfere with existing data, just make sure you are writing it to a different index and that no role can search that index by default.
If it is a clustered environment, it will be very difficult to get rid of this data, if it is not clustered, you can remove the data simply by stopping splunk: ./splunk stop and then cleaning data

  ./splunk clean eventdata -index YourDumDataIndex

BTW, data onboarded by method provided above will count against your license so be prepared

hope t helps

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...