All Apps and Add-ons

Where to deploy Eventgen in a distributed deployment?

helge
Builder

We have created our own Eventgen app which holds sample data and the eventgen.conf file. Looking at Splunk's Eventgen documentation, is it not entirely clear where such an app needs to reside in a distributed deployment with multiple clustered search heads and indexers.

From our testing it looks like any one indexer would be the correct choice, however we would like to get confirmation on that.

FYI, we are planning to deploy our eventgen app in a mode that does not require Splunk authentication, ie. by setting splunkHost to localhost.

Note: this question is about version 4 of Splunk's Eventgen.

0 Karma
1 Solution

adonio
Ultra Champion

In any distributed Splunk environment in general and in a clustered one in particular, it will be best to install eventgen and relevant apps with evetgen.conf only on the Heavy Forwarder and send the generated data to Indexer layer.
here are some of the reasons as of why not install on indexer/s:
1. if it is a distributed search (not clustered) it will cause indexer imbalance due to extra load on a single indexer
2. installing evengen on all indexers will carry load on all indexers as well as impact licensing
3. minor changes or simply not paying attention and forgetting to remove eventgen.conf from TAs on indexers will cause eventgen to generate fake data and mix it with real important data
4. control of your inputs.conf for each indexer and a need for an updated indexes.conf to match relevant "fake eventgen data"

why install eventgen on the Heavy Forwarder?
1. single splunk instance to test and verify results in
2. single control on eventgen configurations
3. ability to decide where and when to send the data
4. controlling only inputs.conf and leaving indexes.conf at indexer layer, helps in preventing data mixup

hope that clarifies it

View solution in original post

adonio
Ultra Champion

In any distributed Splunk environment in general and in a clustered one in particular, it will be best to install eventgen and relevant apps with evetgen.conf only on the Heavy Forwarder and send the generated data to Indexer layer.
here are some of the reasons as of why not install on indexer/s:
1. if it is a distributed search (not clustered) it will cause indexer imbalance due to extra load on a single indexer
2. installing evengen on all indexers will carry load on all indexers as well as impact licensing
3. minor changes or simply not paying attention and forgetting to remove eventgen.conf from TAs on indexers will cause eventgen to generate fake data and mix it with real important data
4. control of your inputs.conf for each indexer and a need for an updated indexes.conf to match relevant "fake eventgen data"

why install eventgen on the Heavy Forwarder?
1. single splunk instance to test and verify results in
2. single control on eventgen configurations
3. ability to decide where and when to send the data
4. controlling only inputs.conf and leaving indexes.conf at indexer layer, helps in preventing data mixup

hope that clarifies it

hunters_splunk
Splunk Employee
Splunk Employee

Hi helge,

Yes, eventgen app should be deployed on the indexer tier in a distributed environment.

Hope this helps. Thanks!
Hunter

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...