Hi! I'm having a real issue trying to get eventgen working. I'm trying to use the outputMode = s2s but it is bombing out with the below. 2021-07-28 15:06:42 eventgen ERROR MainProcess 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/splunk_eventgen/eventgen_core.py", line 304, in _worker_do_work
item.run()
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/outputplugin.py", line 39, in run
self.flush(self.events)
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 204, in flush
m["_time"],
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 173, in send_event
e = self._encode_event(index, host, source, sourcetype, _raw, _time)
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 124, in _encode_event
encoded_raw = self._encode_key_value("_raw", _raw)
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 78, in _encode_key_value
return "%s%s" % (self._encode_string(key), self._encode_string(value))
File "/usr/lib/python3.7/site-packages/splunk_eventgen/lib/plugins/output/s2s.py", line 69, in _encode_string
"utf-8"
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 3: invalid start byte My eventgen.conf file looks like this: [cisco_asa.sample]
mode = replay
count = -1
timeMultiple = 1
sampletype = raw
# outputMode = tcpout
outputMode = s2s
splunkHost = splunk_search
splunkPort = 9997
source = udp:514
host = boundary-fw1
index = main
sourcetype = cisco:asa
# tcpDestinationHost = splunk_uf1
# tcpDestinationPort = 3333
token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.0.replacementType = replaytimestamp
token.0.replacement = %b %d %H:%M:%S It works fine with tcpout (the commented out bits above) but not as s2s. I'm executing eventgen like this /usr/bin/python3.7 /usr/bin/splunk_eventgen -v generate /opt/splunk-eventgen/default/eventgen.conf The reason I'm using s2s is I'd like to generate sample data as if it's coming from many hosts, sources and sourcetypes and I can't do that if I'm using tcpout. In the above config, splunk_search is a standalone test splunk install. Sending directly to this splunk host via s2s fails. If I switch back to tcpout, then I'm sending to a Splunk UF with a tcpinput configured which is then sending to splunk_search via tcp/9997 eventgen was installed and configured as per http://splunk.github.io/eventgen/SETUP.html#install Any suggestions?
... View more