Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to specify ip range or network for ipv4 random generation with eventgen ?

matthieu_araman
Communicator
‎11-05-2014 08:29 AM

Hello,

I'm trying to generate sample logs with eventgen
in my eventgen.conf, I'm using
token.1.token = ipsrc
token.1.replacementType = random
token.1.replacement = ipv4

token.2.token = ipdst
token.2.replacementType = random
token.2.replacement = ipv4

The conf is working but the logs are too random, which is not realistic
The tutorial talks about possibilities to add argument and gives examples for float, integer, .... but not for ipv4 (and ipv6)
I would like to restrict the random for exemple 10/8

Is there any parameter to use after ipv4 or do I have to workaround it (by using a sample file with ips or several tokens + integer, recreating the ip ?

Tags (3)
0 Karma
Reply

jgoddard
Path Finder
‎03-19-2015 09:40 AM

I am just getting started with EventGen myself. This would be a sweet addition to this tool, but as of yet doesn't seem to be possible the way you wish. From :
[sample filename]
* This stanza defines a given sample file contained within the samples directory.
* This stanza can be specified as a PCRE.
* Hardcoded to $SPLUNK_HOME/etc/apps//samples/.
* This stanza is only valid for the following replacementType -> replacement values:

    * static -> <string>
    * timestamp -> <strptime>
    * replaytimestamp -> <strptime>
    * random -> ipv4
    * random -> ipv6
    * random -> mac
    * random -> integer[<start>:<end>]
    * random -> float[<start.numzerosforprecision>:<end.numzerosforprecision>]
    * random -> string(<integer>)
    * random -> hex([integer])
    * rated -> integer[<start>:<end>]
    * rated -> float[<start.numzerosforprecision>:<end.numzerosforprecision>]
    * file -> <replacment file name>
    * mvfile -> <replacement file name, expects CSV file>:<column number>

disabled = true | false
* Like what it looks like. Will disable event generation for this sample.

I suspect you will just want to do what most people seem to do for this issue, just use the file replacement and generate a list of pseudo random IP addresses. The samples (and README) directory in the SA-EventGen app does have some excellent examples.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...